XML 51 R34.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk management system incorporates risks from cybersecurity threats alongside other risks to the company. We employ a range of tools and services to inform our assessment, identification and management of material risks from cybersecurity threats, which include from time to time:

monitoring emerging data protection laws and implementing responsive changes to our processes;
undertaking periodic reviews of our policies with customers, partners, and suppliers and statements related to cybersecurity;
conducting cybersecurity management and incident training for employees involved in our systems and
processes that handle sensitive data;
conducting phishing email simulations for employees and contractors with access to corporate email
systems;
requiring employees, as well as third-parties who provide services on our behalf, to treat information and
data with care; and
educating our teams on incident response, conducting tabletop exercises and using the findings to improve our processes and technologies.

We maintain a cybersecurity incident response plan designed to secure the enterprise, mitigate the impact of an incident, restore normal business operations, prevent similar future incidents and comply with applicable regulatory obligations arising from an incident. As part of the above process, we periodically engage with consultants and other third-parties, including annually having a third-party perform penetration testing and review our cybersecurity program to help identify areas for improvement and/or compliance. The Company’s cybersecurity procedures have been developed based on the National Institute of Standards and Technology ("NIST") cybersecurity framework. We also engage with a third-party security operation center to assist in monitoring our cybersecurity risk environment. Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers.

For a discussion of whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, see “Part I, Item 1A. Risk Factors -- A failure of, or a security breach in a key information technology system or process or other unusual events could compromise our information and expose us to liability, which could adversely affect our business; IT project delays and overruns are possible” which is incorporated by reference into this Item 1C.

As previously disclosed, during the three-month period ending September 30, 2022, the Company became aware of a cyberattack that had been recently made against certain systems within the Company’s network environment. The attack temporarily affected operations and caused delays in execution of sales transactions at some locations. In addition, the Company incurred financial costs to investigate and remediate the incident, some of which was mitigated by insurance. During the incident, the attackers accessed and exfiltrated Company data, including some personally identifying information of certain Company employees. The Company contained the incident, notified affected individuals, and restored operations. The Company put in place remediation measures designed to help prevent future similar attacks and implemented certain other enhancements to its security system.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk management system incorporates risks from cybersecurity threats alongside other risks to the company. We employ a range of tools and services to inform our assessment, identification and management of material risks from cybersecurity threats, which include from time to time:

monitoring emerging data protection laws and implementing responsive changes to our processes;
undertaking periodic reviews of our policies with customers, partners, and suppliers and statements related to cybersecurity;
conducting cybersecurity management and incident training for employees involved in our systems and
processes that handle sensitive data;
conducting phishing email simulations for employees and contractors with access to corporate email
systems;
requiring employees, as well as third-parties who provide services on our behalf, to treat information and
data with care; and
educating our teams on incident response, conducting tabletop exercises and using the findings to improve our processes and technologies.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee. The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.
In addition to oversight by the Audit Committee and the Board of Directors, our CIO chairs a Working Council that includes our Chief Financial Officer, Chief Human Resources and Communications Officer and our Chief Legal and Administrative Officer. Our IT organization also includes a Chief Information Security Officer who is responsible for establishing processes as well as management of all cyber security risks and programs to mature our NIST posture. Our CIO has served in this role since 2023 and has more than 30 years of experience in the aggregate in various IT leadership roles. His educational background includes a master’s in business administration in Information Systems from The State University of New York at Albany, and a bachelor’s degree in electrical engineering from Harcourt Butler Technological Institute, Kanpur, India.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.
Cybersecurity Risk Role of Management [Text Block]
Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee. The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.
In addition to oversight by the Audit Committee and the Board of Directors, our CIO chairs a Working Council that includes our Chief Financial Officer, Chief Human Resources and Communications Officer and our Chief Legal and Administrative Officer. Our IT organization also includes a Chief Information Security Officer who is responsible for establishing processes as well as management of all cyber security risks and programs to mature our NIST posture. Our CIO has served in this role since 2023 and has more than 30 years of experience in the aggregate in various IT leadership roles. His educational background includes a master’s in business administration in Information Systems from The State University of New York at Albany, and a bachelor’s degree in electrical engineering from Harcourt Butler Technological Institute, Kanpur, India.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee. The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.
In addition to oversight by the Audit Committee and the Board of Directors, our CIO chairs a Working Council that includes our Chief Financial Officer, Chief Human Resources and Communications Officer and our Chief Legal and Administrative Officer. Our IT organization also includes a Chief Information Security Officer who is responsible for establishing processes as well as management of all cyber security risks and programs to mature our NIST posture.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO has served in this role since 2023 and has more than 30 years of experience in the aggregate in various IT leadership roles. His educational background includes a master’s in business administration in Information Systems from The State University of New York at Albany, and a bachelor’s degree in electrical engineering from Harcourt Butler Technological Institute, Kanpur, India.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Oversight of cybersecurity risk is a joint responsibility of the Board of Directors and the Audit Committee. The Company’s Chief Information Officer (the “CIO”) provides quarterly updates to the Audit Committee and the chair of the Audit Committee regularly updates the Board of Directors on cybersecurity matters potentially impacting the Company. Additionally, the CIO briefs the Board of Directors on information security matters at least annually.
In addition to oversight by the Audit Committee and the Board of Directors, our CIO chairs a Working Council that includes our Chief Financial Officer, Chief Human Resources and Communications Officer and our Chief Legal and Administrative Officer. Our IT organization also includes a Chief Information Security Officer who is responsible for establishing processes as well as management of all cyber security risks and programs to mature our NIST posture. Our CIO has served in this role since 2023 and has more than 30 years of experience in the aggregate in various IT leadership roles. His educational background includes a master’s in business administration in Information Systems from The State University of New York at Albany, and a bachelor’s degree in electrical engineering from Harcourt Butler Technological Institute, Kanpur, India.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true