Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. We invest in cybersecurity to protect intellectual property, customer and employee data, manage reputational risk, and maintain business continuity across our environment. We strive to ensure ongoing compliance with the requirements under applicable standards including the Payment Card Industry Data Security Standards and relevant data privacy and protection laws and regulations. Additionally, our teams reference the standards, guidelines, and practices from the NIST Cybersecurity Framework (CSF) to align our cybersecurity program and risk management practices.
The foundation of our cybersecurity framework is based on written policies that govern different cybersecurity process areas.
Identifying and assessing cybersecurity risk is part of our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a combination of third party assessments, IT Security Risk reviews, external audits and assessments, penetration tests, vulnerability scans, security monitoring activities and recurring review from our internal cybersecurity working group. We respond to cybersecurity incidents and address identified cybersecurity risks through our internal cybersecurity working group and report any material findings and incidents to the audit committee of our board of directors.
The cybersecurity incident response process is governed by our Incident Response Plan (“IRP”) and overseen by leaders from our IT security and legal teams. The IRP guides how security events are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.
We also conduct tabletop exercises annually, to simulate responses to cybersecurity incidents and ensure accuracy and continuous improvement of the incident response plan. Our team of cybersecurity professionals then collaborate with other stakeholders across our organization to further analyze the risk to the Company and form detection, mitigation and remediation strategies.
We are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents.
Leveraging our cybersecurity risk management processes, cybersecurity risk factors were identified, which are inherent to our business and industry. The risk factors discussed in this section should be considered together with information included elsewhere in this Annual Report on Form 10-K and should not be considered the only risks to which we are exposed. Additionally, mitigation of these risk factors is tracked by management as part of our cybersecurity maturity roadmap.
•Disruptions in the Company’s supply chain could result in an adverse impact on results of operations.
•Network compromise or equipment sabotage could impact the operations of the fulfillment center sites which could impact the revenue.
•Cybersecurity incidents, including breaches of confidential information, sensitive data, personal information, or intellectual property could damage the company’s reputation, disrupt operations, increase costs, and impact revenues.
As part of the above processes, we regularly engage external advisors and consultants to assess our internal cybersecurity programs and compliance with applicable regulatory requirements and industry standards. Our external advisors also act as an extension of our teams to support on daily related security activities, by working closely with our Chief Information Officer and the leader of IT Operations.
Our cybersecurity risk management program evaluates the risk associated when selecting third-party service providers. In addition to new vendor onboarding, critical vendors are reviewed annually to ensure we understand their cybersecurity posture, and their responsibility in protecting our assets appropriately.
As of the date of this filing, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to
materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information, see Part I, Item 1A, Risk Factors-Risks Related to Our Business.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
Identifying and assessing cybersecurity risk is part of our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a combination of third party assessments, IT Security Risk reviews, external audits and assessments, penetration tests, vulnerability scans, security monitoring activities and recurring review from our internal cybersecurity working group. We respond to cybersecurity incidents and address identified cybersecurity risks through our internal cybersecurity working group and report any material findings and incidents to the audit committee of our board of directors.
The cybersecurity incident response process is governed by our Incident Response Plan (“IRP”) and overseen by leaders from our IT security and legal teams. The IRP guides how security events are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.
We also conduct tabletop exercises annually, to simulate responses to cybersecurity incidents and ensure accuracy and continuous improvement of the incident response plan. Our team of cybersecurity professionals then collaborate with other stakeholders across our organization to further analyze the risk to the Company and form detection, mitigation and remediation strategies.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Cybersecurity is an area of focus for our board of directors, audit committee, and management. As part of our board of directors’ overall responsibility for oversight of management’s general risk identification and management activities, the audit committee of our board of directors is responsible for the oversight of risks from cybersecurity threats. Members of the audit committee review and discuss with management and our auditors quarterly the Company’s cybersecurity risks and the steps that management has taken to protect against threats to the Company’s information systems and security and review risk and mitigation steps taken by management related to data privacy.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | As part of our board of directors’ overall responsibility for oversight of management’s general risk identification and management activities, the audit committee of our board of directors is responsible for the oversight of risks from cybersecurity threats |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Members of the audit committee review and discuss with management and our auditors quarterly the Company’s cybersecurity risks and the steps that management has taken to protect against threats to the Company’s information systems and security and review risk and mitigation steps taken by management related to data privacy. |
| Cybersecurity Risk Role of Management [Text Block] |
Our cybersecurity risk management and strategy processes are overseen by leaders from our IT Security, external advisors, and legal teams. These individuals are informed about, and monitor the identification, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
Our cybersecurity risk management and strategy processes are overseen by leaders from our IT Security, external advisors, and legal teams. These individuals are informed about, and monitor the identification, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Members of the audit committee review and discuss with management and our auditors quarterly the Company’s cybersecurity risks and the steps that management has taken to protect against threats to the Company’s information systems and security and review risk and mitigation steps taken by management related to data privacy. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | We respond to cybersecurity incidents and address identified cybersecurity risks through our internal cybersecurity working group and report any material findings and incidents to the audit committee of our board of directors. The cybersecurity incident response process is governed by our Incident Response Plan (“IRP”) and overseen by leaders from our IT security and legal teams. The IRP guides how security events are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.
We also conduct tabletop exercises annually, to simulate responses to cybersecurity incidents and ensure accuracy and continuous improvement of the incident response plan. Our team of cybersecurity professionals then collaborate with other stakeholders across our organization to further analyze the risk to the Company and form detection, mitigation and remediation strategies.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |