TRAVELZOO - (TZOO)

10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity
The Company, including its Board of Directors, Audit Committee, management and internal legal, information technology (IT) and finance teams, recognize the importance of safeguarding the Company’s data, information systems and technology assets, as it is a critical part of the trust that we have built with our members, partners and employees.
Risk Management and Strategy
Our approach involves an annual review of our established IT systems and vendor relationships, to assess salient risks and discuss mitigation procedures, as well as the establishment of an Incident Response Team appointed to manage cybersecurity risk, which meets at least twice per year. The Incident Response Team is led by the Company’s Systems Administrator and Cybersecurity Analyst, and includes employees from different functions and levels of the organization, including the Head of Engineering (most senior IT leader), the General Counsel and Head of Global Functions (executive-level legal), the Global Head of Business Services (most senior business operations leader), as well as representatives from finance, marketing, and customer service. The team is also supported by external vendors and consultants, as needed (for example, specialized cybersecurity legal counsel, specialized IT cybersecurity agencies and Sarbanes-Oxley (SOX) compliance/audit consultants to assist with internal controls review).
The Incident Response Team follows industry best-practices for Payment card industry (PCI) compliance and cybersecurity. Starting in Q1, the team reviews the Company’s plan and policy for cybersecurity incident response, making updates as needed to reflect changes in the systems, processes or requirements of the organization. The team then coordinates a broader meeting where a testing incident is provided and discussed, to ensure that everyone across the organization is aligned and understands the process should an incident arise in the future. The scenarios involve realistic threats to prompt discussion and practice in the application of the Company’s policies. The Company established this process with the support of outside consultants to ensure it aligns with industry best practices. It is customized to address the most prominent IT and cybersecurity risks based on the Company’s assessments. Any significant changes in policies, risk profiles, internal practices, etc. are reported to the Company’s Chair of the Board and Board of Directors, as needed.
Separately from the Incident Response Team, the Company requires all employees to complete an annual security training and the Company’s Head of Corporate Systems evaluates security features and compliance with security requirements by employees on an ongoing basis, in consultation with legal.
25



Given the importance of our member data, the Company has also appointed an internal Data Protection Officer (DPO), who is a member of the Company’s legal function and who has received outside training and qualifications. The Company’s DPO reviews any changes in rules, requirements, internal policies and procedures and ensures the Company’s compliance for data privacy globally is up-to-date (including vendor relationships, privacy policy, data subject access request processes, website terms, employee processes, etc.). The DPO also administers annual data privacy training to all employees and reviews processes and security procedures with the Head of Corporate Systems and IT team, to ensure no areas of exposure or material risk for the Company’s data.
We rely on certain third-party computer systems and third-party service providers in connection with providing some of our services (including our hotel platform and email newsletters). We also depend upon various third parties to process payments for our voucher transactions around the world. These third-party business partners, service providers, and consultants need to access certain of our member and other data, and connect to our computer networks. We define expected security and privacy requirements through our contracting processes with third parties and we perform third-party cyber risk assessments to monitor the cyber risk management efforts of third parties as needed.
Although we expend significant internal resources to protect against security breaches, our existing security measures may not be successful in preventing all attacks on our systems. We have experienced cybersecurity incidents and threats, including malware, phishing, partner and customer account takeover attacks, and denial-of-service attacks on our systems. We do not believe these cybersecurity incidents have had a materially adverse effect on our Company, including our business strategy, results of operations, or financial condition. For further discussion, please review our Risk Factors.
Governance
The Board, in coordination with the Audit Committee, oversees the Company’s risk management program, which includes evaluation of material cybersecurity-related risks as needed. The Audit Committee receives from time-to-time presentations and reports from both Company management and third parties, as appropriate, that address cybersecurity and data protection topics, including evolving standards, third-party and independent reviews, technology trends and information security considerations. The Audit Committee meets at least quarterly with Company management and the Company’s external SOX consultant to discuss internal IT controls and, in reviewing the controls, exercises oversight into the Company’s IT processes and any areas of risk. Additionally, should an incident arise that is material, the Incident Response Team promptly apprises the Chair of the Board of Directors and the Audit Committee and provides ongoing updates until such incident has been resolved. At regularly scheduled Board meetings, the Audit Committee Chair provides the Board with an update as needed on any significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled Board meeting.