Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
The Company has security incident response policies and procedures for identifying, assessing, and managing material risks arising from cybersecurity incidents, including those arising from third-party service providers. The Company’s Chief Information Security Officer (“CISO”), who has over 30 years of experience in information technology and information security and has several industry certifications, including CISSP, CCSP, CISM, CRISC, and CIPP, is the executive primarily responsible for managing cybersecurity risks. The CISO assesses cybersecurity incidents and classifies them by severity level in accordance with the Company’s Security Incident Guidelines, which determine how each cybersecurity incident is managed and communicated. The Company uses both internal and external resources to assess risk and manage its IT and 24x7 cybersecurity operations, including managed service providers who assist in the support of key business systems. The Company may also periodically engage external consultants to assist with cybersecurity incident management, particularly where advanced or specialized expertise may be required. The Company’s Incident Response and Breach Notification Policy outlines the procedures that the Company follows for evaluation and recovery from an incident, including containment of the affected systems, to restore our systems to normal operations. To date, the Company has not had a cybersecurity event that materially impacted or is reasonably likely to materially affect its business strategy, results of operations, financial condition, or the security of its proprietary data.
The Company has assigned responsibility for Board oversight of cybersecurity risk to the Audit Committee, which monitors the cybersecurity risk management and cyber control functions, including external security audits, and receives periodic updates from experienced senior management, including the CISO, knowledgeable about assessing and managing cyber risks, including, as appropriate, updates on the prevention, detection, mitigation, and remediation of cyber incidents.
Cybersecurity incidents that significantly impact the confidentiality, integrity, or availability of Company data or the reliability of the Company system or network are reported to certain members of the Company’s Executive Leadership Team, including the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Administrative Officer, and Chief Information Officer, for assessment of the materiality of the incident, which will be made using both quantitative and qualitative analyses to determine an incident’s immediate and reasonably likely future impacts. Such cybersecurity incidents are also reported to the Audit Committee. Cybersecurity incidents that moderately impact the confidentiality, integrity, or availability of Company data or the reliability of the Company systems or networks are reported to the Security Incident Response Team, for assessment of the materiality of the incident.
Our privacy compliance and digital risk management initiatives focus on the threats and risks to enterprise information and the underlying IT systems processing such information as part of the implementation of business processes. We have also implemented policies and procedures for the assessment, identification, and management of material risks from cybersecurity threats, including internal training, system controls, and monitoring and audit processes to protect the Company from internal and external vulnerabilities and to comply with consumer privacy laws in the areas in which we operate. Further, we limit retention of certain data, encrypt certain data and otherwise protect information to comply with consumer privacy laws in the areas in which we operate. The Company also has a cross-functional group of representatives
from several departments that comprise the Cybersecurity and Privacy Committee, which meets and discusses information at least quarterly related to cybersecurity and privacy compliance at the Company, including training, policies, and trends. We also rely on, among other things, commercially available third parties including vendors, cybersecurity protection systems, software, tools and monitoring to provide security for processing, transmission and storage of protected information and data. The systems currently used for transmission and approval of payment card transactions, and the technology utilized in payment cards themselves, all of which can put payment card data at risk, meet standards set by the payment card industry.
The Company has a global cybersecurity training program that requires all employees with access to the Company networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks. Also, the Company regularly tests the efficacy of its training efforts as well as its systems to assess vulnerabilities to cybersecurity risks, including tabletop incident response exercises.
Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks, including cybersecurity risks, that could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. The CISO also reviews with the Audit Committee the strategy, priorities, and goals of the cybersecurity program.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Cybersecurity incidents that significantly impact the confidentiality, integrity, or availability of Company data or the reliability of the Company system or network are reported to certain members of the Company’s Executive Leadership Team, including the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Administrative Officer, and Chief Information Officer, for assessment of the materiality of the incident, which will be made using both quantitative and qualitative analyses to determine an incident’s immediate and reasonably likely future impacts. Such cybersecurity incidents are also reported to the Audit Committee. Cybersecurity incidents that moderately impact the confidentiality, integrity, or availability of Company data or the reliability of the Company systems or networks are reported to the Security Incident Response Team, for assessment of the materiality of the incident. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Cybersecurity incidents that significantly impact the confidentiality, integrity, or availability of Company data or the reliability of the Company system or network are reported to certain members of the Company’s Executive Leadership Team, including the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Administrative Officer, and Chief Information Officer, for assessment of the materiality of the incident, which will be made using both quantitative and qualitative analyses to determine an incident’s immediate and reasonably likely future impacts. Such cybersecurity incidents are also reported to the Audit Committee. Cybersecurity incidents that moderately impact the confidentiality, integrity, or availability of Company data or the reliability of the Company systems or networks are reported to the Security Incident Response Team, for assessment of the materiality of the incident.
Our privacy compliance and digital risk management initiatives focus on the threats and risks to enterprise information and the underlying IT systems processing such information as part of the implementation of business processes. We have also implemented policies and procedures for the assessment, identification, and management of material risks from cybersecurity threats, including internal training, system controls, and monitoring and audit processes to protect the Company from internal and external vulnerabilities and to comply with consumer privacy laws in the areas in which we operate. Further, we limit retention of certain data, encrypt certain data and otherwise protect information to comply with consumer privacy laws in the areas in which we operate. The Company also has a cross-functional group of representatives
from several departments that comprise the Cybersecurity and Privacy Committee, which meets and discusses information at least quarterly related to cybersecurity and privacy compliance at the Company, including training, policies, and trends. We also rely on, among other things, commercially available third parties including vendors, cybersecurity protection systems, software, tools and monitoring to provide security for processing, transmission and storage of protected information and data. The systems currently used for transmission and approval of payment card transactions, and the technology utilized in payment cards themselves, all of which can put payment card data at risk, meet standards set by the payment card industry.
The Company has a global cybersecurity training program that requires all employees with access to the Company networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks. Also, the Company regularly tests the efficacy of its training efforts as well as its systems to assess vulnerabilities to cybersecurity risks, including tabletop incident response exercises.
Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks, including cybersecurity risks, that could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. The CISO also reviews with the Audit Committee the strategy, priorities, and goals of the cybersecurity program.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Company’s Chief Information Security Officer (“CISO”), who has over 30 years of experience in information technology and information security and has several industry certifications, including CISSP, CCSP, CISM, CRISC, and CIPP, is the executive primarily responsible for managing cybersecurity risks |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The CISO assesses cybersecurity incidents and classifies them by severity level in accordance with the Company’s Security Incident Guidelines, which determine how each cybersecurity incident is managed and communicated. The Company uses both internal and external resources to assess risk and manage its IT and 24x7 cybersecurity operations, including managed service providers who assist in the support of key business systems. The Company may also periodically engage external consultants to assist with cybersecurity incident management, particularly where advanced or specialized expertise may be required. The Company’s Incident Response and Breach Notification Policy outlines the procedures that the Company follows for evaluation and recovery from an incident, including containment of the affected systems, to restore our systems to normal operations |
| Cybersecurity Risk Role of Management [Text Block] | The Company has a global cybersecurity training program that requires all employees with access to the Company networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks. Also, the Company regularly tests the efficacy of its training efforts as well as its systems to assess vulnerabilities to cybersecurity risks, including tabletop incident response exercises. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks, including cybersecurity risks, that could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. The CISO also reviews with the Audit Committee the strategy, priorities, and goals of the cybersecurity program.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The Company’s Chief Information Security Officer (“CISO”), who has over 30 years of experience in information technology and information security and has several industry certifications, including CISSP, CCSP, CISM, CRISC, and CIPP, is the executive primarily responsible for managing cybersecurity risks. The CISO assesses cybersecurity incidents and classifies them by severity level in accordance with the Company’s Security Incident Guidelines, which determine how each cybersecurity incident is managed and communicated. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
Annually the Company conducts an Enterprise Risk Assessment during which management identifies and quantifies risks, including cybersecurity risks, that could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee. The CISO also reviews with the Audit Committee the strategy, priorities, and goals of the cybersecurity program.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |