Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. Risk Assessment At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee and members of management. Technical Safeguards We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address — and guide our employees, management and the Board on — our response to a cybersecurity incident. Third-Party Risk Management We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. These inputs may include, as appropriate, our review of third-party audit reports, ongoing monitoring activities and validation of relevant security certifications. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Education and Awareness Our policies require each of our employees to contribute to our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training, to enhance employee awareness of how to detect and respond to cybersecurity threats. The training we offer to employees covers critical cybersecurity topics such as phishing, insider threats and the secure use of company systems. External Assessments Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, in 2023, 2024 and 2025 we conducted independent cyber maturity assessments to review our controls against the NIST Cybersecurity Framework. The results of significant assessments are reported to management, the Board and Audit Committee. Cybersecurity processes are adjusted, as appropriate, based on the information provided from these assessments. We have also obtained industry certifications and attestations that demonstrate our dedication to protecting the data our customers entrust to us.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Board Oversight Our Board, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation, and remediation of material information security risks, including cybersecurity incidents and vulnerabilities. Our Audit Committee is responsible for overseeing our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, third-party compliance certifications, control maturity assessments, and relevant ServiceNow, customer and industry cybersecurity incidents.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | •Chief product officer (“CPO”) and chief operating officer (“COO”), who oversees the digital transformation, digital technology and security functions •Chief digital information officer (“CDIO”), who oversees enterprise-wide digital technology •Chief information security officer (“CISO”), who oversees the security function and reports to the COO •Chief technology officer (“CTO”), who oversees product engineering and advanced technologies •Chief legal officer (“CLO”), who oversees the legal and compliance functions
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | •Chief product officer (“CPO”) and chief operating officer (“COO”), who oversees the digital transformation, digital technology and security functions •Chief digital information officer (“CDIO”), who oversees enterprise-wide digital technology •Chief information security officer (“CISO”), who oversees the security function and reports to the COO •Chief technology officer (“CTO”), who oversees product engineering and advanced technologies •Chief legal officer (“CLO”), who oversees the legal and compliance functions These individuals, among others, also serve as members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets periodically to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies. Our CPO and COO has served in various roles in information technology and information security for over 25 years, including serving as the Head of Platform and in other senior leadership roles at two other large public companies overseeing areas such as cloud infrastructure, platform security and enterprise product development. He holds an undergraduate degree in electrical and computer engineering and a master’s degree in information networking. Our CDIO has served in various roles in information technology for over 20 years, including serving as our Senior Vice President of Digital Technology Experience and in similar senior roles at two other public companies. Our CISO has served in various roles in information technology and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at three other large public companies. He holds undergraduate and master’s degrees in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our CLO has over 25 years of experience managing risks, including risks arising from cybersecurity threats, at large public technology companies.
|
| Cybersecurity Risk Role of Management [Text Block] | •Chief product officer (“CPO”) and chief operating officer (“COO”), who oversees the digital transformation, digital technology and security functions •Chief digital information officer (“CDIO”), who oversees enterprise-wide digital technology •Chief information security officer (“CISO”), who oversees the security function and reports to the COO •Chief technology officer (“CTO”), who oversees product engineering and advanced technologies •Chief legal officer (“CLO”), who oversees the legal and compliance functions These individuals, among others, also serve as members of management’s Security Steering Committee (the “Security Committee”), which is a governing body that drives alignment on security decisions across the Company. The Security Committee meets periodically to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies. Our CPO and COO has served in various roles in information technology and information security for over 25 years, including serving as the Head of Platform and in other senior leadership roles at two other large public companies overseeing areas such as cloud infrastructure, platform security and enterprise product development. He holds an undergraduate degree in electrical and computer engineering and a master’s degree in information networking. Our CDIO has served in various roles in information technology for over 20 years, including serving as our Senior Vice President of Digital Technology Experience and in similar senior roles at two other public companies. Our CISO has served in various roles in information technology and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at three other large public companies. He holds undergraduate and master’s degrees in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our CLO has over 25 years of experience managing risks, including risks arising from cybersecurity threats, at large public technology companies.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | •Chief product officer (“CPO”) and chief operating officer (“COO”), who oversees the digital transformation, digital technology and security functions •Chief digital information officer (“CDIO”), who oversees enterprise-wide digital technology •Chief information security officer (“CISO”), who oversees the security function and reports to the COO •Chief technology officer (“CTO”), who oversees product engineering and advanced technologies •Chief legal officer (“CLO”), who oversees the legal and compliance functions
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CPO and COO has served in various roles in information technology and information security for over 25 years, including serving as the Head of Platform and in other senior leadership roles at two other large public companies overseeing areas such as cloud infrastructure, platform security and enterprise product development. He holds an undergraduate degree in electrical and computer engineering and a master’s degree in information networking. Our CDIO has served in various roles in information technology for over 20 years, including serving as our Senior Vice President of Digital Technology Experience and in similar senior roles at two other public companies. Our CISO has served in various roles in information technology and information security for almost 20 years, including serving as the Chief Information Security Officer or Chief Security Officer at three other large public companies. He holds undergraduate and master’s degrees in computer science. Our CTO has served in various roles in information technology for over 25 years and has been with us since 2011. Our CLO has over 25 years of experience managing risks, including risks arising from cybersecurity threats, at large public technology companies.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |