GOLDEN ENTERTAINMENT, INC. - (GDEN)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY 
Cybersecurity Risk Management and Strategy
Maintaining and improving our cybersecurity capabilities is a high priority for our business. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use industry standard frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. We use an overall risk management process by coordinating with other departments such as human resources, legal, finance, accounting, and business operations.
As part of our cybersecurity risk management program, we regularly perform a comprehensive risk assessment to help identify material cybersecurity risks, including vulnerability analysis, industry-specific risks, and required regulatory adherence. We also use external third-party service providers, where appropriate, to assess, test or otherwise assist us with aspects of our cybersecurity program. We manage material risk from cybersecurity threats by implementing a three-year strategic plan addressing the design, implementation, monitoring, and maintenance of preventative technologies and controls related to cybersecurity. This plan is reviewed and tailored annually for any relevant changes in business operations or new initiatives. In addition, our cybersecurity risk management program includes (1) a security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, our response to cybersecurity incidents, and the performance of our managed security service provider; (2) a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and (3) a third-party risk management process for service providers, suppliers and vendors. State privacy laws are continually evaluated and applied as required. In addition, the Nevada Gaming Control Board issues information technology internal control standards, which we use to evaluate our internal and external audit procedures on an annual basis.
We also maintain cybersecurity awareness and training programs through our learning management platform as well as through our internal policies and certifications, which are subject to review and oversight by our management and our Board of Directors. All newly hired team members are required to take training courses with particular focus on the acceptable use of technology and related cybersecurity risks. E-mail phishing training and testing is performed routinely throughout the year.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee of our Board of Directors oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee receives semi-annual reports from our General Counsel and Chief Technology Officer on our cybersecurity risks and the implementation of our cybersecurity risk management program. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Audit Committee reports to our Board of Directors regarding its activities, including those related to cybersecurity. Our Board of Directors also receives briefings from management on our cyber risk management program, including presentations on cybersecurity topics from our Chief Technology Officer, internal security staff or external experts as part of the Board’s continuing education on topics that impact public companies.
21


Our management team has formed a dedicated group, including our General Counsel, Chief Technology Officer, and key information technology team members from our information technology security, compliance, vendor management office and our project management office, that is responsible for assessing and managing our material risks from cybersecurity threats. This group meets on a monthly basis to discuss the results of our cybersecurity and privacy matters and to evaluate new technologies from a security, operational, and regulatory perspective prior to their implementation. Their findings are summarized in a comprehensive report that is reviewed by our Audit Committee. Our Chief Technology Officer has over 30 years of experience in cybersecurity related to infrastructure (on-premise and cloud based), security (managed both internally and by third-party providers), and development (agile and waterfall methodologies). Our Chief Technology Officer is supported by a team of information security and compliance professionals and third-party partners.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.