Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
---|---|
Dec. 31, 2024 | |
Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
As part of our broader approach to risk management, our cybersecurity program is designed to follow an “identify, protect, detect, respond and recover” approach to cybersecurity that is based off of the National Institute of Standards and Technology Cybersecurity Framework (“CSF”). Our strategy also includes segmentation of corporate and operations networks, defense in depth and the least privileged access principle. Operational networks have fundamentally distinct safety and reliability standards and pose unique threats in comparison to information technology networks. Realizing these differences, we routinely evaluate opportunities to refine our cybersecurity program in order to mitigate operational network risks. We include business continuity planning as a component of our strategy to help ensure critical systems are available to support our company in the instance of a disruptive event. We also participate in various industry organizations to stay abreast of recent trends and developments.
On an ongoing basis, we assess our people, processes and technology and, when necessary, adjust the overall program in an effort to adapt to the ever-evolving cyber and geopolitical landscapes. We conduct regular assessments and audits, cross-functional risk mitigation exercises and risk strategy sessions to identify cybersecurity risks, applicable regulatory requirements and industry standards. These engagements are also designed to exercise, assess the maturity of and enhance our Cyber Incident Response Plan. To support these efforts, we have contracted with third parties to perform facility and system penetration tests, compromise assessments of information technology systems and security maturity assessments of our corporate and operational networks. We maintain a training program to help our personnel identify and assist in mitigating cybersecurity and data security risks. Our employees and Board members participate in annual training, user awareness campaigns and additional issue-specific training as needed. We also provide annual training for certain contractors who have access to our information technology networks. With respect to third party service providers, our information security program includes conducting risk-based due diligence of certain service providers’ information security programs prior to onboarding. We seek to contractually require third party service providers with access to our information technology systems, sensitive business data or personal information to maintain reasonable security controls and restrict their ability to use our data, including personal information, for purposes other than to provide services to us, except as required by applicable law. We also seek to negotiate contractual requirements which compel our service providers to notify us of information security incidents occurring on their systems which may affect our systems or data, including personal information.
|
Cybersecurity Risk Management Processes Integrated [Flag] | true |
Cybersecurity Risk Management Processes Integrated [Text Block] | Risks that could affect us are an integral part of our Board and Audit Committee deliberations throughout the year. Cybersecurity risks are integrated into our enterprise risk assessment process, which is reviewed by our Board at least annually. |
Cybersecurity Risk Management Third Party Engaged [Flag] | true |
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
Cybersecurity Risk Board of Directors Oversight [Text Block] |
Our cybersecurity leadership team consists of our Director and Chief Information Security Officer, Vice President and Chief Information Officer and Senior Vice President of Shared Services. These individuals collectively provide the strategic oversight of our cybersecurity governance, cyber risk management and security operations and are responsible for maintaining our technology defense posture and program. As part of their governance and risk management responsibilities, these individuals oversee the efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents, including the systems deployed in our technology infrastructure to monitor for threats, perform security control testing and assessments, and incorporate threat intelligence into our day-to-day cybersecurity operations and strategic initiatives. They have decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats.
Risks that could affect us are an integral part of our Board and Audit Committee deliberations throughout the year. Cybersecurity risks are integrated into our enterprise risk assessment process, which is reviewed by our Board at least annually. Our Board has oversight responsibility for assessing the primary risks facing us (including cybersecurity risks), the relative magnitude of these risks and management’s plan for mitigating these risks, while the Audit Committee has been delegated the authority to oversee and periodically review the security of our information technology systems and controls, including programs and defenses against cybersecurity threats. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. On a quarterly basis, our cybersecurity leadership team updates the Audit Committee on the overall status of our cybersecurity program, key operational metrics, current assessments, cybersecurity issues or events and pertinent events related to cybersecurity.
|
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our Board has oversight responsibility for assessing the primary risks facing us (including cybersecurity risks), the relative magnitude of these risks and management’s plan for mitigating these risks, while the Audit Committee has been delegated the authority to oversee and periodically review the security of our information technology systems and controls, including programs and defenses against cybersecurity threats. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. |
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | On a quarterly basis, our cybersecurity leadership team updates the Audit Committee on the overall status of our cybersecurity program, key operational metrics, current assessments, cybersecurity issues or events and pertinent events related to cybersecurity. |
Cybersecurity Risk Role of Management [Text Block] | These individuals collectively provide the strategic oversight of our cybersecurity governance, cyber risk management and security operations and are responsible for maintaining our technology defense posture and program. As part of their governance and risk management responsibilities, these individuals oversee the efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents, including the systems deployed in our technology infrastructure to monitor for threats, perform security control testing and assessments, and incorporate threat intelligence into our day-to-day cybersecurity operations and strategic initiatives. |
Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our cybersecurity leadership team consists of our Director and Chief Information Security Officer, Vice President and Chief Information Officer and Senior Vice President of Shared Services. |
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | They have decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats. |
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | We conduct regular assessments and audits, cross-functional risk mitigation exercises and risk strategy sessions to identify cybersecurity risks, applicable regulatory requirements and industry standards. These engagements are also designed to exercise, assess the maturity of and enhance our Cyber Incident Response Plan. |
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |