Global Business Travel Group, Inc. - (GBTG)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to the our cybersecurity policies, standards, processes and practices, which are integrated into our overall risk management system.
We take a risk-based approach to cybersecurity aligned with National Institute of Standards and Technology (NIST) principles and have implemented controls throughout our operations that are designed to address cybersecurity threats and incidents. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help us identify, escalate, investigate, resolve and recover from security incidents in a timely manner.
Our cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. Our cybersecurity program and policies are operated by a dedicated cybersecurity operations team in conjunction with our enterprise Risk Management and Compliance program.
Our cyber risk management program identifies, tracks, escalates, remediates, and reports cyber related risks throughout the Company. These risk areas include internal, product, vendor, supply chain, and external services utilized across the Company. These risks are assessed, prioritized, and both tactically and strategically addressed via process, technology, and personnel improvements to ensure ongoing mitigation and tracking. We utilize internal and external resources to monitor for cybersecurity threats to our systems and networks and to understand the broader threat environment.
Our cybersecurity strategy is guided by prioritized risk, identified areas for improvement based on the NIST Cybersecurity Framework, and emerging business needs. Cybersecurity risks are continually monitored and shared with the executive leadership team on a quarterly basis. We maintain a global incident response plan, coupled with a global continuous monitoring program. This plan and program include incident alerting, comprehensive incident criticality assessments, and escalation processes designed to support our teams, our senior leadership, and the Board. This escalation process also includes cross-functional materiality determinations and applicable reporting requirements.
Our cybersecurity operations team manages all facets of cybersecurity monitoring, coordinating with managed services security providers and internal analysts across the Company. All employees are provided cybersecurity awareness training, which includes topics on our policies and procedures for reporting potential incidents. Our cybersecurity team is continuously evaluating emerging risks, regulations, and compliance matters and updating the applicable policies and procedures accordingly.
Governance
The Board, directly and through its committees, oversees our risk management process, including cybersecurity risks and regularly receive presentations and reports from management. Pursuant to the Risk Management and Compliance Committee Charter, the Risk Management and Compliance Committee of the Board provides compliance oversight of our risk assessment and risk management policies, which include cybersecurity, and receives regular reports and updates on the steps management has taken to monitor and mitigate such exposures and risks.
Our Chief Information Security Officer ("CISO"), in coordination with our Chief Technology Officer, is responsible for leading the assessment and management of cybersecurity risks. The current CISO has over 25 years of
56
experience in information security and presents to the Risk Management and Compliance Committee on a bi-annual basis concerning our cybersecurity program.