FULL HOUSE RESORTS INC - (FLL)

10-K Filing Date: March 15, 2024

Item 1C. Cybersecurity.

Risk Management and Strategy

Risk Assessment. We have incorporated policies and procedures aimed at securing and protecting company records and operations. At a minimum, our cybersecurity programs are benchmarked against and aligned to the Center for Internet Security (CIS) Version 8 framework ⸺ a universally accepted and recognized controls standard published in 2021 ⸺ to guide annual risk assessments and ongoing control monitoring activities. External experts are also utilized for both annual and periodic risk assessments, as needed, to ensure broad and in-depth evaluations of the transforming cybersecurity environment.

Incident Response and Recovery Planning. We have established comprehensive incident response and recovery plans and continue to regularly test and evaluate the effectiveness of these plans, while also providing necessary training tools and guidance for company personnel. All of these items are incorporated into our overall risk management program.

Third-Party Risk Management. As part of our risk identification efforts and overall cybersecurity risk management framework, we have processes in place to assess and manage third-party service provider cybersecurity risks. Such processes include initial and periodic reviews of independent attestation reports, as well as additional evaluation and due diligence that are dependent on our classification of data stored or processed by the third-party provider.

Governance

Qualifications. We view cybersecurity as a shared responsibility. To that end, the members of our Cybersecurity Committee represent a range of functions from across our company, including our property information technology directors, Corporate Controller, Vice President of Internal Audit and Compliance, Corporate Secretary and General Counsel, and the Western Director of Finance. This group has primary responsibility for assessing and managing material cybersecurity risks. The combined experience of this group consists of approximately 14 decades of direct information technology leadership experience, in addition to multiple degrees and specialized training and certifications in the information technology and cybersecurity field.

External Assessments. We engage independent third parties to conduct infrastructure and application security assessments and penetration testing. These third parties also help us assess our internal preparedness.

Management’s Role. Our Cybersecurity Committee members and external experts meet quarterly, at a minimum, with the primary purpose of identifying emerging company risks and related solutions, and evaluating the progress of previously-identified risk mitigation activities.

Board Oversight. Our Board, with direct oversight by the Audit Committee and senior management, ultimately presides over our management of cybersecurity risk. The Board routinely receives reports from the Cybersecurity Committee, via the Audit Committee, about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including material security risks and information system security vulnerabilities.

There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Further, although we have not experienced any recent material cybersecurity incidents, we face a number of cybersecurity risks in connection with our business. Other casino companies have reported large-scale cybersecurity incidents. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. See Part I, Item 1A. “Risk Factors – Risks Related to Technology” for additional discussion.

36