Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
Dec. 31, 2024 | ||||||||||
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | ||||||||||
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within our IT and risk management systems and addresses both the corporate and the operational IT environment. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and IT, including the National Institute of Standards and Technology (the “NIST”), the Control Objectives for Information Technologies (“COBIT”) framework and the International Organization Standardization 27001, Information Security Management System requirements. We have an annual assessment, performed by our internal audit department, of our cyber risk management program against the NIST and COBIT frameworks. Our information security practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems. We have adopted a Cybersecurity Incident Response Plan that applies if a security event occurs. Our Incident Response Plan provides a common framework for responding to security incidents. This framework establishes procedures for identifying, validating, categorizing, documenting, and responding to security events that are identified by or reported to the Chief Information Officer (“CIO”). Our Incident Response Plan applies to our personnel including contractors and partners that perform functions or services that require securing our information assets, and to all devices and networks that we own. The Incident Response Plan details the coordinated, multi-functional approach for investigating, containing, and mitigating incidents. Under our Incident Response Plan, cybersecurity incidents are escalated based on a defined incident categorization to the CIO and the General Counsel. Regular updates are provided by the Cybersecurity team to the CIO, who will maintain communication and information flow to senior leadership including the General Counsel, Chief Financial Officer, and other cybersecurity program stakeholders as well as the Audit Committee and/or the Board of Directors as appropriate. Generally, our incident response process follows the National Institute of Standards and Technology (NIST) framework and focuses on preparation; detection and analysis; containment, eradication, recovery and post-incident remediation. Our CIO leads the information security organization which oversees the identification and management of information security risks. Our CIO has extensive information security and risk management experience in Information and Operational technology and holds the following information security certifications:
Our CIO is a member of InfraGard, ISC2 and ISACA and serves as Adjunct Professor of Cyber Security at Lone Star College and San Jacinto College. We conduct mandatory security training during new employee onboarding, as well as require our employees to complete annual security risk training and, when necessary, perform additional updated training. We also engage certain third-parties in assessing, identifying and managing cyber-security risks. These third parties perform a number of services, including managed detection and response services for information technology endpoints, anti-virus monitoring, penetration testing, and other miscellaneous cyber security programs and services. We maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under our third-party assessment process, we gather information from certain third parties who contract with us and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect us. |
|||||||||
| Cybersecurity Risk Management Processes Integrated [Flag] | true | |||||||||
| Cybersecurity Risk Management Processes Integrated [Text Block] |
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within our IT and risk management systems and addresses both the corporate and the operational IT environment. |
|||||||||
| Cybersecurity Risk Management Third Party Engaged [Flag] | true | |||||||||
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true | |||||||||
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false | |||||||||
| Cybersecurity Risk Board of Directors Oversight [Text Block] | The Audit Committee of our board of directors oversees our cybersecurity policies, procedures, risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Our executive management, including our Vice President and Chief Information Officer, periodically updates and reports to the Audit Committee and the board of directors regarding cybersecurity risk exposure and our cybersecurity risk management strategy (at a minimum, once per quarter). Additionally, all members of the board of directors attend quarterly training sessions through internal and external IT specialists, which include review of IT whitepapers, presentations, and other learning materials. Each of the members of the board of directors has also completed certificated training concerning IT security, IT fraud, and other common enterprise-level IT threats. | |||||||||
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Audit Committee | |||||||||
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our executive management, including our Vice President and Chief Information Officer, periodically updates and reports to the Audit Committee and the board of directors regarding cybersecurity risk exposure and our cybersecurity risk management strategy (at a minimum, once per quarter). | |||||||||
| Cybersecurity Risk Role of Management [Text Block] |
Our information security practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems. We have adopted a Cybersecurity Incident Response Plan that applies if a security event occurs. Our Incident Response Plan provides a common framework for responding to security incidents. This framework establishes procedures for identifying, validating, categorizing, documenting, and responding to security events that are identified by or reported to the Chief Information Officer (“CIO”). Our Incident Response Plan applies to our personnel including contractors and partners that perform functions or services that require securing our information assets, and to all devices and networks that we own. The Incident Response Plan details the coordinated, multi-functional approach for investigating, containing, and mitigating incidents. Under our Incident Response Plan, cybersecurity incidents are escalated based on a defined incident categorization to the CIO and the General Counsel. Regular updates are provided by the Cybersecurity team to the CIO, who will maintain communication and information flow to senior leadership including the General Counsel, Chief Financial Officer, and other cybersecurity program stakeholders as well as the Audit Committee and/or the Board of Directors as appropriate. Generally, our incident response process follows the National Institute of Standards and Technology (NIST) framework and focuses on preparation; detection and analysis; containment, eradication, recovery and post-incident remediation. Our CIO leads the information security organization which oversees the identification and management of information security risks. Our CIO has extensive information security and risk management experience in Information and Operational technology and holds the following information security certifications:
Our CIO is a member of InfraGard, ISC2 and ISACA and serves as Adjunct Professor of Cyber Security at Lone Star College and San Jacinto College. We conduct mandatory security training during new employee onboarding, as well as require our employees to complete annual security risk training and, when necessary, perform additional updated training. We also engage certain third-parties in assessing, identifying and managing cyber-security risks. These third parties perform a number of services, including managed detection and response services for information technology endpoints, anti-virus monitoring, penetration testing, and other miscellaneous cyber security programs and services. We maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under our third-party assessment process, we gather information from certain third parties who contract with us and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect us. |
|||||||||
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true | |||||||||
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Chief Information Officer (“CIO”) | |||||||||
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] |
Our CIO leads the information security organization which oversees the identification and management of information security risks. Our CIO has extensive information security and risk management experience in Information and Operational technology and holds the following information security certifications:
Our CIO is a member of InfraGard, ISC2 and ISACA and serves as Adjunct Professor of Cyber Security at Lone Star College and San Jacinto College. |
|||||||||
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Regular updates are provided by the Cybersecurity team to the CIO, who will maintain communication and information flow to senior leadership including the General Counsel, Chief Financial Officer, and other cybersecurity program stakeholders as well as the Audit Committee and/or the Board of Directors as appropriate. | |||||||||
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |