Six Flags Entertainment Corp - (SIX)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
We appreciate the importance of cybersecurity in maintaining the trust and confidence of our guests, employees, and business partners, and we are committed to upholding the highest standards of network and data security throughout our operations to protect our
26
various stakeholders. Our cybersecurity risk management program is integrated into our overall enterprise-level risk management system and shares common communications channels and response processes that apply to other legal, compliance and operational risk areas addressed by our enterprise-level risk management program. Our technology infrastructure and information systems are central to our sales of admissions products, such as single day tickets, season passes, and Six+ memberships, as well as in-park offerings of food, beverages and merchandise. We also use our technology platforms to interact with suppliers and make payments. Our technology infrastructure and information systems also forms the foundation for our accounting and finance systems and our disclosure and accounting control environment. Our internally developed technology systems, as well as those we license from third-parties, could each face breaches from cybersecurity threats. These threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, theft of intellectual property or other security breaches. Such attacks have become increasingly sophisticated, and we expect that will continue to evolve as threat actors increase their use of artificial intelligence and machine-learning technologies.
To protect against cybersecurity threats to our business, our Board of Directors and management team take a comprehensive approach to cybersecurity risk management as part of our overall enterprise-level risk management program. Our Board and our management actively oversee the management of cybersecurity risks and have established processes for identifying, assessing and managing material risks from cybersecurity threats.
We design and assess our cybersecurity risk management program in accordance with National Institute of Standards (NIST) standards and guidelines to protect all proprietary and guest data. Key components of our cybersecurity risk management program include the following:
Mandatory Cyber Training – All Six Flags team members complete a mandatory Cybersecurity Training during the onboarding process on how to identify, assess, and manage risks from cybersecurity threats. Mandatory ongoing cybersecurity training is also conducted throughout the year for all team members.
Response Readiness and Incident Response Plan – we have developed a comprehensive Incident Response Plan which documents and describes our Cybersecurity Response Readiness and includes detailed procedures to help guide our team members in the event of a Cybersecurity Incident. This includes incident response report templates, which are readily available to document and report to management on incident response activities. The response plan details processes, responsibilities, escalations and other communication channels for reporting, evaluating and responding to cybersecurity incidents. Reporting paths range from addressing an incident within our IT team to escalating incidents to our Audit Committee and to our board of directors, as appropriate.
Internal and External Penetration Testing – we conduct regular Internal and External Penetration Testing to identify and assess network security vulnerabilities. Six Flags IT evaluates and remediates vulnerabilities based upon business impact and exploitability.
Vulnerability Scanning and Automated Cyber Risk Management and Compliance – we conduct monthly proactive vulnerability scanning to detect and address security weaknesses within IT systems. We have partnered with a third-party solution to identify and provide visibility and insight into existing risks. The solution collects data from our vulnerability scanning process to identify and analyze risks, prioritize remediation based upon business goals, and provide robust reporting and visual dashboards.
Disaster Recovery Plan – our Disaster Recovery Plan is documented to provide guidance and outline processes used to recover or continue operations of critical IT infrastructure, and systems in the event of natural or human disasters.
Third-Party Security Risk Management – we use a Vendor Risk Management Questionnaire to document third-party vendors’ security controls and governance policies. The questionnaire allows us to systematically assess risk which may be introduced by third-party vendors and ensures alignment with our security and compliance standards.
As of the date of this Annual Report on Form 10-K, the Company has not experienced any material cybersecurity incidents and we are not aware of any cybersecurity risks that are reasonably likely to materially affect the Company. However, we face ongoing risks of cybersecurity threats that, if realized, could result in the loss of sensitive business or customer information, disruption to our systems and operations, expose us to litigation and reputational risk and adversely affect our guests, employees or business partners. For additional information on the risks we face from cybersecurity threats, see Item 1A. Risk Factors – “Cyber-attacks could have a disruptive effect on our business.”
Cybersecurity Governance
Our Audit Committee has primary oversight of the Company’s information security programs, including cybersecurity. Our internal audit department, together with third parties that we engage, report to our Audit Committee and audit the Company’s information security programs. Our Chief Digital Officer, who oversees our information security training and awareness program, also updates the Audit Committee on a quarterly basis regarding information security matters. Our Audit Committee and Chief Digital Officer also provide the full Board of Directors with updates no less than annually, relating to information security and cybersecurity risks. These updates include
27
a review of the appropriateness of our various procedures related to the security of our network and data, as well as the evaluation of new and existing technologies and their effectiveness in meeting our business objectives.
Finally, management and other departments involved in our cybersecurity program participate in industry groups related to cybersecurity risk management and our IT Security Team employs third party services to gain independent perspectives of our cybersecurity program. For example, our IT Security Team belongs to various Cybersecurity Threat Advisory Committees to keep up to date on the latest threats and vulnerabilities. Technical details regarding risks and exposures associated to vulnerabilities are shared via subscription emails by these committees. In addition, we conduct annual Third-Party Posture Assessments to review the security processes and procedures that we have in place. The assessment is an unbiased review which provides credibility and trust in regards to Six Flags security posture. We also ensure our Payment Card Industry (PCI) compliance by working extensively with an external independent advisor to review and audit our systems, security measures and processes to protect cardholder data. We maintain cybersecurity insurance that we believe is appropriate for the size and complexity of our business which provides protection against the potential losses arising from a cybersecurity incident. However, there is no guarantee that our insurance coverage limits will sufficiently protect us against any future claims.