Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Risk management and strategy
We maintain a corporate cyber risk management plan that is part of our business continuity strategy. The risk management plan has been in place for the past five years, and is updated annually to align with the latest cybersecurity trends and developments. The cyber risk management plan includes annual goals and activities that address relevant cyber risks that our Management Information Systems (MIS) department detects. The goals are presented and approved by our management annually.
Our strategy for cyber risk management contains seven layers, consisting of:
1.Firewall & Web Security
2.Network Security
3.Data Protection
4.Security Visibility & Awareness
5.Threat Intelligence
6.End Point Security
7.Code security
We maintain processes and procedures to address each layer of the strategy.
Our ISMS (Information Security Management System) is assessed and certified annually based on industry standards and best practice.
As part of the onboarding of every new vendor with whom we work, we conduct supply chain, TPRM (Third Party Risks Management) processes in order to assess potential risks associated with such vendor, in order to ensure that the vendor meets our cybersecurity requirements.
We maintain an Incident Response Policy as well as an Incident Response Team (comprised as described under “Governance” below), which are based upon and which adhere to, respectively, global principles for detecting, assessing, monitoring, and mitigating cyber incidents. The team conducts, periodically, a professional Table Top Exercise (TTX), together with our external advisors, in which we simulate mock real-time cybersecurity incidents that relate to current identified high risks.
We have in place corporate policies and procedures, including rules and protocols that our employees must abide by, and which reflect our approach to cybersecurity.
We work with external consultants as part of our cybersecurity risk management, but mainly for advisory purposes, such as building and executing cybersecurity plans and activities (for example, as advisors for our TTXs), conducting risk surveys and assessing regulatory or other legal risks. We do not, however, outsource processes or other company cybersecurity functions to third party service providers.
We are not aware of any previous cybersecurity incidents that have materially, or were reasonably likely to materially, affect our company (including business strategy, results of operations, or financial condition). As with virtually every other public company, we believe that a potential future material cybersecurity incident could potentially adversely affect our business operations in a material manner, due to the reliance that we place on our Management Information Systems for, among other things: effectively managing our accounting and financial functions, including maintaining our internal controls; managing our manufacturing and supply chain processes; and maintaining our research and development data. The failure of our management information systems to perform properly could disrupt our business and product development, which may result in decreased sales, increased overhead costs, excess or obsolete inventory, and product shortages, causing our business and operating results to suffer. Please see “Item 3.D. Risk Factors-Risks related to our business and financial condition- We rely on our management information systems…”
Governance
As part of our corporate cyber risk management plan, we prioritize the identification and management of cybersecurity risk at several levels, including board oversight and heavy involvement of our management on an ongoing basis. Our board of directors as a whole (rather than any committee or subcommittee of the board) is responsible for the oversight of risks from cybersecurity threats. The board conducts an annual security board meeting, in which our chief information officer (CIO) and chief information security officer (CISO) provide the members of the board cybersecurity updates including risks and threats, and define relevant actions for the year to come.
Cybersecurity related activities are primarily handled at our company by an internal Management Information Systems department that is managed by an experienced CIO, and which includes a CISO and a designated “Global Information Security and IT Compliance” team, comprised of security analysts and engineers. The team’s aspect-oriented programming (AOP) that addresses the relevant cyber risks that we detect, as well as our annual cybersecurity plan, are presented to, and approved by, our senior management team.
Our CISO, who has been a chief information security officer for seven years, holds an information security certification from the “See Security Academy”, a leading educational institute for cybersecurity professionals, and is also a Certified Ethical Hacker (C|EH) accredited by the EC-Council, widely regarded as the industry’s most robust, hands-on cybersecurity program. Our CISO has 15 years of
experience in Information Systems and Technology, including ten years dedicated to Information Security, Incident Response, Cybersecurity, and Forensics.
Throughout the year, our management members interact in managing our cybersecurity risks, including via the following management processes:
1.The CIO reports on Management Information Systems operations including cybersecurity elements to our senior management team on a quarterly basis.
2.The CIO updates our chief operating officer (COO) as to the status of relevant cybersecurity projects and/or incidents on a weekly basis.
3.The CISO & CIO discuss the status of cybersecurity projects and/or incidents on a weekly basis.
We furthermore maintain an Incident Response Team (IRT), which is comprised of, among others, the CIO, CISO, chief legal officer (CLO) and representatives of the COO, the chief financial officer (CFO) and the Communications department. The IRT convenes on an as-needed basis following the suspected occurrence of a cybersecurity incident. The IRT is accompanied by outside legal counsel(s) that are familiar with the company and its IRT and are professionally equipped to provide real-time guidance and advice as may be required.
Our Management Information Systems maintains an “Online Service Desk” through which all cyber-related issues, including potential cybersecurity incidents, can be reported. Following initial review, the CIO, in consultation with our internal legal department, escalates a reported issue to the IRT, which then assembles to address the incident.
The IRT reports to our chief executive officer and/or board of directors on case-by-case basis, taking into consideration the specific incident factors and the degree of materiality of the incident.
|