Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Cyber Risk Management and Strategy
Overview
We employ a risk-based approach to cybersecurity which aligns with our corporate strategy, risk management and governance, and adaptable information technology (“IT”) infrastructure. Our cybersecurity program consists of policies, procedures, systems, controls and technology designed to help prevent, identify, detect and mitigate cybersecurity risk and is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity framework.
Collaboration
We have integrated cybersecurity risk management into our overall risk management framework by (i) maintaining disaster recovery, business continuity and security incident recovery plans, (ii) conducting annual enterprise and IT risk assessments, (iii) implementing periodic key risk indicator tracking, and (iv) holding regular cross-departmental meetings to address cybersecurity risks.
Risk Assessment
Our risk management activities and cybersecurity strategy include IT policies, standards, procedures and systems to address and mitigate risks for critical system availability, network integrity, information protection, and operational continuity.
We perform vulnerability and threat monitoring mitigation activities on a regular basis and perform a cybersecurity risk assessment at least annually. Our cybersecurity risk assessment program includes the following assessments and activities:
•ensure program alignment with the NIST Cybersecurity framework; and,
•prioritize, remediate and ensure effectiveness of critical applications, infrastructure, and information.
We regularly collaborate with the Company’s internal audit department and third parties with security and infrastructure expertise for review and evaluation of the Company’s cybersecurity risk program and the associated IT control environment. We engage third-party service providers to perform annual external and internal penetration testing, disaster recovery testing, and security incident simulations.
Infrastructure: Network and Physical Security
Our IT infrastructure is secured and continually monitored using a number of tools to effect physical and logical security. We strictly regulate and limit access to servers and networks. Network access is controlled by the network firewall and restricted by stringent access control lists. We also employ (i) network and endpoint intrusion prevention and detection
throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our management of potential cybersecurity issues and vulnerabilities, and (iii) a seasoned process for managing and installing patches for third-party applications.
We have also implemented the following protective and preventative measures:
•identity management and access control safeguards;
•encryption of data in transit and at rest;
•system and network security and monitoring;
•information protection and governance; and
•ongoing systems and equipment maintenance.
Incident Response and Recovery Planning
We have instituted cybersecurity event detection systems, methods, and supporting processes to perform continuous monitoring, identify and classify events and anomalies, take appropriate actions when necessary, and report incidents to the appropriate parties. Our response and recovery capabilities are designed to, among other things, contain any impacts, analyze and mitigate events, track events to resolution, provide effective stakeholder communication, recover and resume operations, and evaluate and improve systems and methods.
Third-Party Risk Management
We have implemented and continue to maintain our IT policies, standards, procedures, and controls to oversee, identify and manage cybersecurity risks associated with all third-party service providers. These include, but are not limited to, an IT acceptable use policy, a records and information management policy, change control procedures, risk and control registry, attestation report reviews, and configuration standards.
Education and Awareness
Our policies require each of our employees to complete annual information security training, in addition to other training requirements. The result is an educated, informed, and prepared workforce, with an awareness of potential cybersecurity threats, how they may occur, and how to report and escalate such matters. These training efforts are supplemented with regular corporate-led communications and outreach initiatives to facilitate cybersecurity awareness and ensure employees remain vigilant and informed about cybersecurity threats and trends.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
We employ a risk-based approach to cybersecurity which aligns with our corporate strategy, risk management and governance, and adaptable information technology (“IT”) infrastructure. Our cybersecurity program consists of policies, procedures, systems, controls and technology designed to help prevent, identify, detect and mitigate cybersecurity risk and is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity framework.
Collaboration
We have integrated cybersecurity risk management into our overall risk management framework by (i) maintaining disaster recovery, business continuity and security incident recovery plans, (ii) conducting annual enterprise and IT risk assessments, (iii) implementing periodic key risk indicator tracking, and (iv) holding regular cross-departmental meetings to address cybersecurity risks.
Risk Assessment
Our risk management activities and cybersecurity strategy include IT policies, standards, procedures and systems to address and mitigate risks for critical system availability, network integrity, information protection, and operational continuity.
We perform vulnerability and threat monitoring mitigation activities on a regular basis and perform a cybersecurity risk assessment at least annually. Our cybersecurity risk assessment program includes the following assessments and activities:
•ensure program alignment with the NIST Cybersecurity framework; and,
•prioritize, remediate and ensure effectiveness of critical applications, infrastructure, and information.
We regularly collaborate with the Company’s internal audit department and third parties with security and infrastructure expertise for review and evaluation of the Company’s cybersecurity risk program and the associated IT control environment. We engage third-party service providers to perform annual external and internal penetration testing, disaster recovery testing, and security incident simulations.
Infrastructure: Network and Physical Security
Our IT infrastructure is secured and continually monitored using a number of tools to effect physical and logical security. We strictly regulate and limit access to servers and networks. Network access is controlled by the network firewall and restricted by stringent access control lists. We also employ (i) network and endpoint intrusion prevention and detection
throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our management of potential cybersecurity issues and vulnerabilities, and (iii) a seasoned process for managing and installing patches for third-party applications.
We have also implemented the following protective and preventative measures:
•identity management and access control safeguards;
•encryption of data in transit and at rest;
•system and network security and monitoring;
•information protection and governance; and
•ongoing systems and equipment maintenance.
Incident Response and Recovery Planning
We have instituted cybersecurity event detection systems, methods, and supporting processes to perform continuous monitoring, identify and classify events and anomalies, take appropriate actions when necessary, and report incidents to the appropriate parties. Our response and recovery capabilities are designed to, among other things, contain any impacts, analyze and mitigate events, track events to resolution, provide effective stakeholder communication, recover and resume operations, and evaluate and improve systems and methods.
Third-Party Risk Management
We have implemented and continue to maintain our IT policies, standards, procedures, and controls to oversee, identify and manage cybersecurity risks associated with all third-party service providers. These include, but are not limited to, an IT acceptable use policy, a records and information management policy, change control procedures, risk and control registry, attestation report reviews, and configuration standards.
Education and Awareness
Our policies require each of our employees to complete annual information security training, in addition to other training requirements. The result is an educated, informed, and prepared workforce, with an awareness of potential cybersecurity threats, how they may occur, and how to report and escalate such matters. These training efforts are supplemented with regular corporate-led communications and outreach initiatives to facilitate cybersecurity awareness and ensure employees remain vigilant and informed about cybersecurity threats and trends.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Both management and the Board are actively involved in the oversight of risks from cybersecurity threats. Our information security program is designed to ensure that management and the Board are adequately informed about, and provided with the tools necessary to monitor, (i) material risks from cybersecurity threats and (ii) our efforts related to the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Role of the Board
The Board has delegated to the Audit Committee primary responsibility for overseeing enterprise risk management, including oversight of risks from cybersecurity threats. The Audit Committee periodically reviews TPL’s policies and practices, including incident response plans, for managing cybersecurity risks to ensure that such policies and practices are appropriately tailored to our risk framework. Throughout the year, the Audit Committee receives quarterly IT and cybersecurity updates unless there is a notable event that requires immediate communication. These quarterly updates include cybersecurity risk assessment updates from our Director of Information Technology, including key risk indicators, the steps management has taken to monitor and control such cybersecurity risk exposure, and continuous improvement efforts. In addition to the risk management experience of the Audit Committee members, Barbara J. Duganier, a member of the Audit Committee, holds the CERT Cybersecurity Oversight Certification from Carnegie Mellon University.
Role of Management
Our cybersecurity risk is managed utilizing a multi-tiered approach by our Director of Information Technology. In addition to the Director of Information Technology, we also engage the services of a third-party chief information security officer (“CISO”). The qualifications of the Director of Information Technology include over 30 years of IT management, cybersecurity, and information governance experience. The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. The Director of Information Technology is regularly informed about the latest developments in cybersecurity, including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents.
The Director of Information Technology oversees risk management and strategy through (i) an IT operating committee (the “IT Operating Committee”) made up of the Director of Information Technology, the CISO, and our department heads, which is responsible for the establishment and review of our IT governance, risk management and compliance, and (ii) an IT steering committee (the “IT Steering Committee”) made up of our executives, which provides guidance and oversight to support and achieve our IT objectives, including cybersecurity objectives. Both the IT Operating Committee and the IT Steering Committee meet on a quarterly basis. The IT Operating Committee reviews monthly reports on cybersecurity incident prevention, mitigation, detection, and remediation and reviews our plans and policies related to IT processes on an annual basis. The Director of Information Technology also coordinates with our internal audit department and the Audit Committee to ensure cybersecurity is represented and addressed within our enterprise risk management strategy.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | In addition to the Director of Information Technology, we also engage the services of a third-party chief information security officer (“CISO”). |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | cybersecurity risk is managed utilizing a multi-tiered approach by our Director of Information Technology. In addition to the Director of Information Technology, we also engage the services of a third-party chief information security officer (“CISO”). The qualifications of the Director of Information Technology include over 30 years of IT management, cybersecurity, and information governance experience. The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. The Director of Information Technology is regularly informed about the latest developments in cybersecurity, including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. |
| Cybersecurity Risk Role of Management [Text Block] |
Role of the Board
The Board has delegated to the Audit Committee primary responsibility for overseeing enterprise risk management, including oversight of risks from cybersecurity threats. The Audit Committee periodically reviews TPL’s policies and practices, including incident response plans, for managing cybersecurity risks to ensure that such policies and practices are appropriately tailored to our risk framework. Throughout the year, the Audit Committee receives quarterly IT and cybersecurity updates unless there is a notable event that requires immediate communication. These quarterly updates include cybersecurity risk assessment updates from our Director of Information Technology, including key risk indicators, the steps management has taken to monitor and control such cybersecurity risk exposure, and continuous improvement efforts. In addition to the risk management experience of the Audit Committee members, Barbara J. Duganier, a member of the Audit Committee, holds the CERT Cybersecurity Oversight Certification from Carnegie Mellon University.
Role of Management
Our cybersecurity risk is managed utilizing a multi-tiered approach by our Director of Information Technology. In addition to the Director of Information Technology, we also engage the services of a third-party chief information security officer (“CISO”). The qualifications of the Director of Information Technology include over 30 years of IT management, cybersecurity, and information governance experience. The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. The Director of Information Technology is regularly informed about the latest developments in cybersecurity, including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents.
The Director of Information Technology oversees risk management and strategy through (i) an IT operating committee (the “IT Operating Committee”) made up of the Director of Information Technology, the CISO, and our department heads, which is responsible for the establishment and review of our IT governance, risk management and compliance, and (ii) an IT steering committee (the “IT Steering Committee”) made up of our executives, which provides guidance and oversight to support and achieve our IT objectives, including cybersecurity objectives. Both the IT Operating Committee and the IT Steering Committee meet on a quarterly basis. The IT Operating Committee reviews monthly reports on cybersecurity incident prevention, mitigation, detection, and remediation and reviews our plans and policies related to IT processes on an annual basis. The Director of Information Technology also coordinates with our internal audit department and the Audit Committee to ensure cybersecurity is represented and addressed within our enterprise risk management strategy.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The qualifications of the Director of Information Technology include over 30 years of IT management, cybersecurity, and information governance experience. The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. The Director of Information Technology is regularly informed about the latest developments in cybersecurity, including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Director of Information Technology is regularly informed about the latest developments in cybersecurity, including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |