2024 ESG Report FINAL - Report - Page 74
Cybersecurity
We take an enterprise approach to information security
risk management and governance. Our information
security program and framework comprise processes,
policies, practices, systems and technologies that are
designed to identify, assess, prioritize, manage and
monitor risks to our information systems, including
risks from cybersecurity threats and events and
risks associated with the use of third-party service
providers.
Our established recovery approach is designed
to provide for the ready availability and use of our
business-critical processes in the event of any
downtime, disaster or outages. We also seek to identify
and mitigate the risks associated with the use of
third-party service providers through the review of
their security programs prior to our engagement.
Additionally, our control environment and internal
audit process bring a systematic, disciplined approach
to evaluate our risk management, control and
governance processes concerning cybersecurity and
our information security framework.
We have a cybersecurity Incident Response Plan
(IRP) that sets forth a process to obtain information,
coordinate activities, assess results and communicate
applicable developments to our employees, law
enforcement, other external parties and agencies
and our Board. The IRP includes the following major
components: preparation, detection and analysis,
containment, eradication, noti昀椀cation, recovery,
reporting and lessons learned. Speci昀椀c incident
response playbooks have also been prepared for data
breaches, malware, unauthorized remote access and
ransomware, which include applicable legal protocols.
We have also retained certain third-party experts to
assist us with various aspects of incident assessment
and response in the event those services become
necessary or useful.
74
Typically, we:
1
Perform periodic tabletop exercises with a
company-wide cross-functional team that
is facilitated by a third-party expert and
is intended to simulate a real-life security
incident.
2
Conduct penetration testing as needed and
annually conduct Payment Card Industry Data
Security Standard testing and 昀椀rewall reviews,
and have periodically engaged a third-party
expert to help therewith.
3
Hold annual cybersecurity awareness
trainings.
4
Periodically engage a third-party expert to
conduct a review of our information security
framework, which helps to identify existing and
emerging risks, and mitigate against such risks.
These internal efforts and external third-party reviews
also support our ability to regularly assess our
information security program and framework against
emerging risks, market and industry developments
and provide opportunities to make adjustments or
enhancements when deemed prudent or necessary.
To date, there have been no cybersecurity
incidents that have materially affected us,
or that are reasonably likely to materially
affect us, including our business strategy,
昀椀nancial condition or results of operations.
