XML 25 R8.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Cybersecurity Risk Management and Strategy

 

We have developed and implemented a cybersecurity risk management program aimed at safeguarding the confidentiality, integrity, and availability of our critical systems and information.

Our approach to cybersecurity is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the International Organization for Standardization 27005 (ISO/IEC 27005:2022). It is important to note that while we reference these frameworks, that does not imply strict adherence to specific technical standards, specifications, or requirements. Instead, we use the NIST CSF and ISO 27005:2022 as guiding principles to identify, assess, and manage cybersecurity risks relevant to our business.

Moreover, our cybersecurity risk management program integrates into our broader enterprise risk management framework through shared methodologies, reporting channels and governance processes.

With our cybersecurity risk management program, several key components include the following:

·Risk assessments: Assessments are conducted to identify and prioritize significant cybersecurity risks to our critical systems and information.
·Dedicated security team: A specialized security team oversees the risk assessment processes, manages security controls, and orchestrates responses to cybersecurity incidents.
·Utilization of external service providers: We engage external service providers as we deem appropriate to help augment our capabilities, leveraging their expertise to assess, test, or bolster various aspects of our security controls.
·Cybersecurity awareness training: Through training initiatives, we seek to empower our employees and incident response personnel with the knowledge and skills to recognize and respond to cyber threats.
·Cybersecurity Incident Response Plan: Our response plan outlines processes for addressing cybersecurity incidents, minimizing disruptions and mitigating potential impacts.
·Third-Party Risk: We seek to assess risk and to obtain cybersecurity-related contractual commitments from critical service providers where possible.

For the Company, cybersecurity risk management is not merely a compliance exercise but viewed as important to our operational ethos. As technology evolves and threats evolve with it, we remain committed to working to enhance the security and resiliency of our organization. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors—Cyber-attacks or other cyber-incidents involving our IT Systems and Confidential Information could have an adverse effect on our business, results of operations, or financial condition.”
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We have developed and implemented a cybersecurity risk management program aimed at safeguarding the confidentiality, integrity, and availability of our critical systems and information.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block] Cybersecurity Governance

 

Cybersecurity risk is part of our overall risk oversight function. The board of directors has entrusted the audit committee with the oversight of cybersecurity and other information technology risks.

The audit committee, oversees the implementation of our cybersecurity risk management program, supported by our Technology & Transformation Senior Director and the IT and Cybersecurity Working Group. This multidisciplinary group is comprised of executive management members as well as key leaders from internal audit, risk evaluation, financial planning, compliance, IT, and technology domains, alongside external advisors.

Quarterly reports from the IT and Cybersecurity Working Group provide the audit committee with assessments of our cybersecurity risks and risk remediation and management initiatives. Additionally, management updates the audit committee on significant cybersecurity incidents.

Continuing education remains a cornerstone of our governance approach, with the audit committee receiving briefings on cybersecurity topics from our Technology & Transformation Senior Director, internal security staff, or external experts.

Key strategic and operational initiatives are led by our Technology & Transformation Senior Director, the IT senior manager, the senior transformation manager, the IT internal control manager, and the IT security manager who are primarily responsible for assessing and managing cybersecurity risks. These individuals are skilled in risk management, data safety, control design, and cybersecurity operations management. Our Technology & Transformation Senior Director has over 30 years of experience in control areas, risk management and compliance including the last four years focused on IT, cybersecurity and digital transformation. Our IT senior manager has over 30 years of experience in IT management with a background in infrastructure, support and administration of mission-critical systems. Our Senior Transformation Manager has over 24 years of experience spearheading transformation initiatives focused on business processes and needs. Finally, our IT Internal Control Manager has over 24 years of experience in IT and cybersecurity controls, risk management and regulatory compliance.

In addition, various operational cybersecurity team members hold certifications in ISO27000, CISA, CISM, among others, and complement this expertise with specialized training and proficiency in risk management and cybersecurity. Together, they remain vigilant and informed, leveraging threat intelligence, external consultations, and advanced security tools to prevent, detect, and respond to cybersecurity risks and incidents effectively.

Our operational cybersecurity team members are vital to helping management members (as well as the IT and Cybersecurity Working Group), stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Cybersecurity risk is part of our overall risk oversight function. The board of directors has entrusted the audit committee with the oversight of cybersecurity and other information technology risks.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The audit committee, oversees the implementation of our cybersecurity risk management program, supported by our Technology & Transformation Senior Director and the IT and Cybersecurity Working Group.
Cybersecurity Risk Role of Management [Text Block] This multidisciplinary group is comprised of executive management members as well as key leaders from internal audit, risk evaluation, financial planning, compliance, IT, and technology domains, alongside external advisors.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Quarterly reports from the IT and Cybersecurity Working Group provide the audit committee with assessments of our cybersecurity risks and risk remediation and management initiatives.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Additionally, management updates the audit committee on significant cybersecurity incidents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] In addition, various operational cybersecurity team members hold certifications in ISO27000, CISA, CISM, among others, and complement this expertise with specialized training and proficiency in risk management and cybersecurity.