Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Our management team is responsible for identifying, assessing and managing the material risks facing Columbia, supported by an enterprise risk management program. This program includes an annual enterprise risk assessment, during which interviews are conducted with independent directors and members of senior management seeking participants' judgement and assessment of the material risks facing Columbia. The enterprise risk management program then monitors the risks identified and mitigation efforts underway through periodic meetings with senior management.
Our enterprise risk management program addresses risks facing Columbia from cybersecurity threats impacting our internal systems and/or systems supported by third-party software providers.
On January 6, 2025, Skip Potter, Executive Vice President, Chief Digital Information Officer, departed the Company. Jim Swanson, Executive Vice President and Chief Financial Officer, is overseeing the digital technology department at the Company in an interim capacity. Our Chief Information Security Officer ("CISO") reports to Mr. Swanson and is responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense, private and public companies, and holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may range from immediate to quarterly. Our risk assessment process related to cybersecurity threats is subject to change in the future as threats may evolve over time.
Our Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CISO.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our management team is responsible for identifying, assessing and managing the material risks facing Columbia, supported by an enterprise risk management program. This program includes an annual enterprise risk assessment, during which interviews are conducted with independent directors and members of senior management seeking participants' judgement and assessment of the material risks facing Columbia. The enterprise risk management program then monitors the risks identified and mitigation efforts underway through periodic meetings with senior management. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our Board of Directors ("Board") generally oversees Columbia's risk management practices and processes. Annually, the Board reviews the results of the annual enterprise risk management program, including updates from our CISO related to cybersecurity matters. The Audit Committee also receives an update on the enterprise risk management program annually. The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. The Audit Committee annually reviews the strategies, investments and risks related to Columbia's information technology systems, including a review of Columbia's cybersecurity programs, and also receives quarterly updates from our CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated to the Board. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee also receives an update on the enterprise risk management program annually. The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee annually reviews the strategies, investments and risks related to Columbia's information technology systems, including a review of Columbia's cybersecurity programs, and also receives quarterly updates from our CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated to the Board. |
| Cybersecurity Risk Role of Management [Text Block] |
On January 6, 2025, Skip Potter, Executive Vice President, Chief Digital Information Officer, departed the Company. Jim Swanson, Executive Vice President and Chief Financial Officer, is overseeing the digital technology department at the Company in an interim capacity. Our Chief Information Security Officer ("CISO") reports to Mr. Swanson and is responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense, private and public companies, and holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may range from immediate to quarterly. Our risk assessment process related to cybersecurity threats is subject to change in the future as threats may evolve over time.
Our Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CISO.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Chief Information Security Officer ("CISO") reports to Mr. Swanson and is responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense, private and public companies, and holds multiple industry certifications in information security. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
Our Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CISO.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |