Bally's Corp - (BALY)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats, and have integrated these processes into our overall risk management systems and practices. We routinely assess material risks from cybersecurity threats, including any potential unauthorized attack on, or use of, our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information stored therein.

Our data breach management policy classifies potential threats by risk levels, and we typically prioritize our threat mitigation and impact evaluation efforts based on those risk classifications, while focusing on maintaining the resiliency of our systems. These risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks.

Following these risk assessments, we design, implement, and maintain reasonable safeguards to minimize the identified risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards. Some of the other steps we have taken to detect, identify, assess, classify, and attempt to mitigate data security and privacy risks include:

Adopting and periodically reviewing and updating information security and privacy policies;
Conducting targeted audits and penetration tests throughout the year, using both internal and external resources;
Complying with the Payment Card Industry Data Security Standard (PCI-DSS);
Implementing an Information Security Management System (ISMS) and Privacy Information Management System (PIMS) which are certified as meeting the requirements of the ISO 27001 & ISO 27701 standards, respectively;
Engaging an industry-leading, suitably qualified and experienced third party to independently evaluate our information security systems on a regular basis;
Adopting a vendor risk management program, which includes receiving the results of cybersecurity and data privacy audits conducted on certain vendors engaged in high-risk data processing;
Providing security and data protection training and awareness to our employees, contractors and key partners with access to any sensitive information and systems; and
Maintaining cyber liability insurance.

37


We also understand the importance of collecting, storing, using, sharing, and disposing of personal information in a manner that complies with all applicable laws. To facilitate compliance with those laws, we have privacy policies in place regarding our treatment of customer data in both our offline and online environments, as well as policies relating to the protection of employee and vendor data. Our policies provide explanations of the types of information we collect, the rationale for such collection, how we use and share information, and generally describe the measures we take to protect the security of that information. Our policies also describe how customers may initiate inquiries and raise concerns regarding the collection, storage, sharing and use of their personal data.

At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information regarding risks from cybersecurity threats, please refer to Item 1A “Risk Factors -Cybersecurity and Technology Risks.

Governance

Cybersecurity and data protection falls under our overall risk management and oversight. Our Board of Directors periodically receives reports from our operations committee, cybersecurity management, external professional advisors, and other relevant Company personnel regarding various types of risks faced by the Company and the Company’s risk mitigation efforts related thereto, including cybersecurity risks and related mitigation efforts.

The Board also receives presentations from management regarding trends in cybersecurity risks and risk mitigation initiatives and plans, including briefings on recent breaches at other companies and key takeaways and lessons learned that are applicable to our business. The Board will also periodically review key cybersecurity-related benchmarks for the Company.

The Company has a dedicated Security Forum and a Data Protection Committee comprising members from our senior leadership that convene on a regular basis to receive updates from our operations committee, cybersecurity management, external professional advisors, and other relevant Company personnel about the Cybersecurity & Privacy programs we have in place; discuss and assess material risks and planned risk mitigation, incidents and planned remediation efforts, trends observed, consider cybersecurity-related proposals, and review and adopt changes in cybersecurity policies.

Management’s Responsibilities

In the event we identify a potential cybersecurity or data privacy issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, our Board of Directors, other stakeholders, and law enforcement when responding to such issues. We have a dedicated management team overseeing our cybersecurity and data privacy initiatives, led by our Chief Information Officer, our Vice President and Global Data Privacy Officer, and our Vice President of Cybersecurity, each in consultation with professional advisors. Our Chief Information Officer has over 25 years’ experience overseeing and managing information technology teams and complex IT systems, and our Vice President of Cybersecurity has over 15 years’ experience developing and managing cybersecurity functions and strategies. Our Vice President of Global Data Privacy is a recognized leader in the industry with over ten years of experience in managing global data privacy programs. Our cybersecurity and data privacy management team regularly meets with senior executives and other team members to provide oversight with respect to our cybersecurity and data privacy risk detection, identification, assessment, classification, and mitigation efforts.
38