Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Risk Management and Strategy
We believe an effective cybersecurity program is critical to guard the confidentiality, integrity, and availability of our information systems and data residing in those systems. We have built and continue to develop processes for assessing, identifying, preventing, mitigating and managing material risks from cybersecurity threats. We have embedded the oversight and management of cybersecurity risk within our enterprise risk management framework to guide our cybersecurity risk management program and help drive a company-wide culture of cybersecurity risk management. In addition, we have established policies and procedures as well as disclosure controls with a structured reporting mechanism to ensure proper and timely flow of information as well as appropriate management of events, threats and any related matter.
Our Information Technology Department uses a wide range of activities, including cybersecurity risk assessments, audits, vulnerability and penetration testing, security monitoring tools, and system scanning, among other technology and human resources, to monitor and identify cybersecurity threats and incidents, as well as to evaluate the effectiveness of our cybersecurity measures. We perform regular phishing testing on a monthly basis, and employees who fail the test receive a warning and in-person training on a quarterly basis. We provide an annual training on information security and cyber awareness for our personnel with >98% participation rate among all employees. In addition, we provide face-to-face training for all new employees on cybersecurity. New employees are also requested to sign a form detailing the permitted use of our computer resources. In addition, every quarter we send a cyber security awareness brochure to all employees. These training activities provide employees with effective tools to address cybersecurity threats and implement our evolving security processes and practices.
With respect to cybersecurity monitoring, we engage a third party to perform 24/7 cybersecurity monitoring, detection and response services. With the third party's assistance, our Information Technology Department tracks metrics that monitor our cybersecurity risk posture, including any identified cybersecurity threats and risks, security awareness proficiency of employees, and any system vulnerabilities and patching requirements. We also engage third parties to perform assessments of our cybersecurity measures (including audits) and to help improve our processes and practices. The results of such assessments, audits and reviews are reported by the Chief Information Security Officer (CISO), and/or a delegate of the CISO, to the Company’s management and to our Audit Committee, and we are committed to adjusting our cybersecurity processes and practices as necessary based on the information provided by these assessments, audits and reviews. Our cybersecurity processes and practices are modelled based on industry best practices, including the ISO/IEC 27001 Standard.
We require all third-party vendors that may have access to Company, employee, customer, or other third-party data, and/or access to the Company’s systems, to complete a questionnaire and undergo a vetting process prior to being approved and onboarded. The vetting process may include a review of the vendor's relevant policies and procedures, standards certifications, technology architecture, business practices and cybersecurity profile. Third-party vendor agreements include confidentiality obligations and specify data elements that the third party has access to, how the third party protects the data, personal information and data subject’s rights, and procedures for the return or destruction of protected data.
In addition to the above processes and resources, we deploy technical safeguards and maintain a cybersecurity incident response process that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls, system backups, denial of service attack prevention, endpoint protection, network protection and cloud workload protection, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. In addition, within the Information Technology Department, we have an Incident Response Team, which maintains and is responsible for communicating any cybersecurity incidents in accordance with a written incident response plan (the “Incident Response Plan”). The Incident Response Plan defines responsibilities and immediate actions necessary to mitigate risk, defines report of incidents to management, and identifies necessary steps to remediate the incident and prevent future incidents. The Incident Response Team is responsible for identifying and assessing the impact of various factors, including duration of the breach or other incident, the number of systems and users affected, the actual or potential system downtime and associated financial impact, as well as the cost and timing of system and data recovery. We also implement controls and procedures that provide for the escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Third parties engaged in monitoring and detection are required to report all cybersecurity incidents immediately to the CISO. Our CISO is responsible for reporting critical cybersecurity incidents that may affect Tower’s operations immediately to the our senior management team and the Company’s compliance officer. Depending on the nature and severity of an incident, the incident may also need to be reported to our Disclosure Committee to determine whether the incident is or is reasonably likely to become material and shall be reported to the Audit Committee and the Board of Directors, and whether the Company must disclose the incident to the relevant authorities, as may be required by applicable regulation.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We believe an effective cybersecurity program is critical to guard the confidentiality, integrity, and availability of our information systems and data residing in those systems. We have built and continue to develop processes for assessing, identifying, preventing, mitigating and managing material risks from cybersecurity threats. We have embedded the oversight and management of cybersecurity risk within our enterprise risk management framework to guide our cybersecurity risk management program and help drive a company-wide culture of cybersecurity risk management. In addition, we have established policies and procedures as well as disclosure controls with a structured reporting mechanism to ensure proper and timely flow of information as well as appropriate management of events, threats and any related matter. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | We face risks from cybersecurity threats that could have a material adverse effect on our business, strategy, operations, financial condition, results of operations, cash flows or reputation. However, to date, we have not experienced any cybersecurity incidents that have had a material adverse effect. We cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents. See “Item 3. “Key Information – D. Risk Factors - Risks Related to Our Business –Security, cyber and privacy breaches may harm our business and operations.” |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Governance
Our Board of Directors recognizes the importance of managing the risk of cybersecurity threats to the Company. The Board and its committees are responsible for overseeing our enterprise risk management activities. With respect to cybersecurity risk, the Audit Committee, responsible for, among other things, overseeing our compliance with internal controls and our management of enterprise risks, specifically oversees cybersecurity risks and the Company’s risk mitigation framework with a focus on the following: data governance, information systems, incident response for cybersecurity incidents, disaster recovery and compliance risks.
The Audit Committee meets at least four times each year and as often as necessary to fulfill its responsibilities. Our senior management team, which includes our Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, together with the VP of Information Technology or CISO, report on a regular basis to the Audit Committee with a review of the cybersecurity program, status updates, progress of the annual plan, and cybersecurity risks and trends as well as other information necessary to assess such risks and oversee the development and performance of our risk mitigation processes. The Board of Directors and Audit Committee receive prompt and timely information regarding any cybersecurity incidents that meet established reporting thresholds, as well as required subsequent updates.
The VP of Information Technology leads our Information Technology Department and is responsible for overseeing our information security program. The VP of Information Technology has over 25 years of industry experience, and is responsible for assessing and managing cybersecurity risks, as well as communicating cybersecurity incidents, matters and trends to Company management, the Audit Committee and the Board of Directors. Team members who support our information security program have relevant educational and industry experience and regularly report to the VP of Information Technology. Our Information Technology Department regularly reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.
The CISO, and/or a delegate of the CISO, in coordination with our Chief Executive Officer and Chief Legal Officer, work collaboratively to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. The CISO, and/or a delegate of the CISO, monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, and reports such incidents to the Disclosure Committee when appropriate.
We face risks from cybersecurity threats that could have a material adverse effect on our business, strategy, operations, financial condition, results of operations, cash flows or reputation. However, to date, we have not experienced any cybersecurity incidents that have had a material adverse effect. We cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents. See “Item 3. “Key Information – D. Risk Factors - Risks Related to Our Business –Security, cyber and privacy breaches may harm our business and operations.”
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our Board of Directors recognizes the importance of managing the risk of cybersecurity threats to the Company. The Board and its committees are responsible for overseeing our enterprise risk management activities. With respect to cybersecurity risk, the Audit Committee, responsible for, among other things, overseeing our compliance with internal controls and our management of enterprise risks, specifically oversees cybersecurity risks and the Company’s risk mitigation framework with a focus on the following: data governance, information systems, incident response for cybersecurity incidents, disaster recovery and compliance risks. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee meets at least four times each year and as often as necessary to fulfill its responsibilities. Our senior management team, which includes our Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, together with the VP of Information Technology or CISO, report on a regular basis to the Audit Committee with a review of the cybersecurity program, status updates, progress of the annual plan, and cybersecurity risks and trends as well as other information necessary to assess such risks and oversee the development and performance of our risk mitigation processes. The Board of Directors and Audit Committee receive prompt and timely information regarding any cybersecurity incidents that meet established reporting thresholds, as well as required subsequent updates. |
| Cybersecurity Risk Role of Management [Text Block] |
The VP of Information Technology leads our Information Technology Department and is responsible for overseeing our information security program. The VP of Information Technology has over 25 years of industry experience, and is responsible for assessing and managing cybersecurity risks, as well as communicating cybersecurity incidents, matters and trends to Company management, the Audit Committee and the Board of Directors. Team members who support our information security program have relevant educational and industry experience and regularly report to the VP of Information Technology. Our Information Technology Department regularly reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.
The CISO, and/or a delegate of the CISO, in coordination with our Chief Executive Officer and Chief Legal Officer, work collaboratively to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. The CISO, and/or a delegate of the CISO, monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, and reports such incidents to the Disclosure Committee when appropriate.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] |
The VP of Information Technology leads our Information Technology Department and is responsible for overseeing our information security program. The VP of Information Technology has over 25 years of industry experience, and is responsible for assessing and managing cybersecurity risks, as well as communicating cybersecurity incidents, matters and trends to Company management, the Audit Committee and the Board of Directors. Team members who support our information security program have relevant educational and industry experience and regularly report to the VP of Information Technology. Our Information Technology Department regularly reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.
The CISO, and/or a delegate of the CISO, in coordination with our Chief Executive Officer and Chief Legal Officer, work collaboratively to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. The CISO, and/or a delegate of the CISO, monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, and reports such incidents to the Disclosure Committee when appropriate.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The VP of Information Technology leads our Information Technology Department and is responsible for overseeing our information security program. The VP of Information Technology has over 25 years of industry experience, and is responsible for assessing and managing cybersecurity risks, as well as communicating cybersecurity incidents, matters and trends to Company management, the Audit Committee and the Board of Directors. Team members who support our information security program have relevant educational and industry experience and regularly report to the VP of Information Technology. Our Information Technology Department regularly reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our senior management team, which includes our Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, together with the VP of Information Technology or CISO, report on a regular basis to the Audit Committee with a review of the cybersecurity program, status updates, progress of the annual plan, and cybersecurity risks and trends as well as other information necessary to assess such risks and oversee the development and performance of our risk mitigation processes. The Board of Directors and Audit Committee receive prompt and timely information regarding any cybersecurity incidents that meet established reporting thresholds, as well as required subsequent updates. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |