Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Management's Role in Managing Risk
Our management team is responsible for identifying, assessing and managing the material risks facing the Company. On January 6, 2025, the Company's Executive Vice President, Chief Digital Information Officer, departed the Company. Jim Swanson, Executive Vice President and Chief Financial Officer, oversaw the digital technology department at the Company in an interim capacity until January 21, 2026 when the Company appointed a Senior Vice President, Chief Technology Officer ("CTO"). The CTO, together with our Chief Information Security Officer ("CISO"), are responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. Our CTO has served in various information technology roles for over 20 years, including the role of CTO at a private company and management of information technology programs of private and public companies. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense and private and public companies, and holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to help alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may vary in accordance with established escalation protocols. Our cybersecurity risk assessment process is subject to change in the future as threats may evolve over time.
An Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CTO and CISO. In 2025, we engaged an independent third party review of our cybersecurity program against the NIST Cybersecurity Framework 2.0 to provide an independent assessment and perspective measured against industry standards. Additionally, we periodically engage independent third parties to perform audits of portions of our cybersecurity control environment based on risk.
Cybersecurity risks are also considered in the Company's enterprise risk management program.
|
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Our Board of Directors ("Board") generally oversees Columbia's risk management practices and processes. The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. The Audit Committee performs an annual deep dive on the strategies, investments and risks related to Columbia's information technology systems, including a review of Columbia's cybersecurity programs, and also receives quarterly updates from our CTO and CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated to the Board.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board has delegated primary oversight of the management of cybersecurity risk to the Audit Committee. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Audit Committee performs an annual deep dive on the strategies, investments and risks related to Columbia's information technology systems, including a review of Columbia's cybersecurity programs, and also receives quarterly updates from our CTO and CISO. The Board is informed of cybersecurity events to the extent they may materially impact Columbia or management otherwise believes they should be escalated to the Board. |
| Cybersecurity Risk Role of Management [Text Block] | On January 6, 2025, the Company's Executive Vice President, Chief Digital Information Officer, departed the Company. Jim Swanson, Executive Vice President and Chief Financial Officer, oversaw the digital technology department at the Company in an interim capacity until January 21, 2026 when the Company appointed a Senior Vice President, Chief Technology Officer ("CTO"). The CTO, together with our Chief Information Security Officer ("CISO"), are responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. Our CTO has served in various information technology roles for over 20 years, including the role of CTO at a private company and management of information technology programs of private and public companies. Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense and private and public companies, and holds multiple industry certifications in information security. We leverage certain third-party providers and our internal Incident Response Team to help alert us when a cybersecurity event occurs. Cybersecurity events may include unauthorized access, attacks on our resources, compromised accounts, malware, or ransomware. Upon alert of an event, we estimate the level of severity, create a response plan, and communicate to management as needed. Based on the estimated level of severity, timing of incident communication to management may vary in accordance with established escalation protocols. Our cybersecurity risk assessment process is subject to change in the future as threats may evolve over time. An Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CTO and CISO. In 2025, we engaged an independent third party review of our cybersecurity program against the NIST Cybersecurity Framework 2.0 to provide an independent assessment and perspective measured against industry standards. Additionally, we periodically engage independent third parties to perform audits of portions of our cybersecurity control environment based on risk.
Cybersecurity risks are also considered in the Company's enterprise risk management program.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | responsible for identifying, assessing and managing risks facing the Company from cybersecurity threats impacting our internal systems and/or systems supported by third-party providers. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO has served in various information technology and information security roles for over 20 years, including management of information security programs in the Department of Defense and private and public companies, and holds multiple industry certifications in information security. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Information Security committee oversees this cybersecurity program and consists of senior management, including Mr. Swanson and our Chief Administrative Officer and General Counsel. At least quarterly, this committee reviews updates regarding cybersecurity threats and incidents that have occurred. Periodically, this committee approves cybersecurity strategy and initiatives proposed by our CTO and CISO. In 2025, we engaged an independent third party review of our cybersecurity program against the NIST Cybersecurity Framework 2.0 to provide an independent assessment and perspective measured against industry standards. Additionally, we periodically engage independent third parties to perform audits of portions of our cybersecurity control environment based on risk. Cybersecurity risks are also considered in the Company's enterprise risk management program.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |