United Parks & Resorts Inc. - (PRKS)
10-K Filing Date: February 29, 2024
Cybersecurity Risk Management and Strategy
We have an established process led by our Chief Information Officer (“CIO”) that governs how we assess, respond and report, internally and externally, the occurrence of cybersecurity incidents and threats. Typical incidents and threats are cataloged and reported to the CIO on a weekly basis together with details regarding the mitigation actions implemented as well as other possible mitigation actions that could be implemented to mitigate or prevent future similar incidents. Urgent or severe incidents are reported to the CIO immediately where triage then begins and does not end until the threat has been mitigated. Depending on the nature and severity of an incident, our process provides for escalating notification to our CEO and the Board including the Chairman of the Board, our Lead Independent Director and the Audit Committee chair. Otherwise, the Audit Committee receives quarterly reports that summarize the new threats identified over the quarter as well as threats that were mitigated over the quarter, with details on the quantity, severity, and addressability of the incidents.
The Company has adopted the Center for Internet Security (“CIS”) framework for cybersecurity defense. The CIS framework is a leading set of best practices for cybersecurity policies and procedures created by the non-profit Center for Internet Security, which are used or referenced by multiple legal, regulatory, and policy frameworks. The CIS framework includes: (1) a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems; and (2) a set of a recommended actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks.
Our approach to cybersecurity risk management includes the following key elements:
We regularly receive vulnerability threat information from our product vendors as well as CIS and other third-party sources. In order to prioritize mitigation efforts, we categorize threats based on likelihood of occurrence and the potential severity of an incident related to the threat. The Information Technology Department reports overall threat collection and mitigation status at least monthly to the CIO and at least quarterly to the Board and ERMC.
Cyber threats are discussed routinely (weekly, monthly, and quarterly) and ad-hoc based on the activities of that time. These threats are used to gauge the size and competency of the organization, the effectiveness of our tools, the sensitivity of the applications we use, and the security of the fundamental architecture that our system is built upon. This then drives decisions for staff, tools, and changes that may require capital or other funding.
We conduct third-party penetration testing on both a routine and ad-hoc basis. Routine penetration testing occurs at least annually and focuses on specific elements within our system, usually without notification to any of the Company's employees involved in those systems. Ad-hoc penetration testing occurs when we learn of a specific vulnerability of concern or when we resolve an alert from an imposing threat.
41
We also conduct table-top cyber exercises on an annual basis to ensure that the organization is prepared in the event that a significant breach actually occurs. These table-top exercises simulate a real cyber event (such as a ransom letter) in order to walk through the response process, gain information regarding how we react to incidents, identify areas of vulnerability, and recommend changes based on the outcome of the exercises.
While we have experienced cybersecurity incidents in the past, to date we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected the Company or our financial position, results of operations and/or cash flows. We continue to invest in cybersecurity and the resiliency of our networks and continue to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. As discussed more fully under Item 1A – “Risk Factors”, however, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. No matter how well designed or implemented our cybersecurity controls are, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventative measures against cybersecurity breaches in a timely manner.
Cybersecurity Governance
We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks, which includes engagement with both senior management and the Board. Our Board is responsible for overseeing our enterprise risk management activities in general, including those related to cybersecurity, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on our risk management process and the risk trends related to cybersecurity at least annually. Further, the Audit Committee specifically assists the Board in its oversight of risks related to cybersecurity. To help ensure effective oversight, the Audit Committee receives reports on information security and cybersecurity from the CIO at least four times a year.
Our cybersecurity function is part of our Information Technology Department and is managed by our CIO who oversees the management of cybersecurity risk and the protection and defense of our networks and systems. Our CIO has over 30 years of experience assisting IT leadership within the Department of Defense and other federal government agencies with IT architecture and solutions including cyber security. Within the Information Technology Department, these activities are orchestrated through cooperation between our cyber security group and our network engineering group. The individuals performing these functions include cybersecurity professionals with broad experience and expertise, including cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance and include professionals who are qualified as Certified Information Systems Security Professionals. The teams within our cybersecurity group and our network engineering group work together to: identify and mitigate risks; respond to active cyber activity on our networks; respond to recent activity publicized by the Center for Internet Security (CIS) or other reputable cybersecurity organizations; and respond to patches and updates provided by our vendors.
In addition, our Enterprise Risk Management Committee (“ERMC”) considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks. The ERMC is a cross-functional committee that reports to the Executive Leadership Team and is chaired by our Chief Financial Officer. The ERMC meets during the year at least quarterly and receives periodic updates on cybersecurity risks from the CIO, who is a member of the committee.
42