Hilton Grand Vacations Inc. - (HGV)
10-K Filing Date: February 29, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
We recognize the importance of maintaining an integrated cybersecurity risk management system and view our responsibility for cybersecurity management as an enterprise risk, where we have adopted proactive and defensive safeguards. We maintain layered processes that place responsibility for management and mitigation of cybersecurity risks at both the management and Board level, which is modeled after the National Institute of Standards and Technology’s cybersecurity framework, as more fully described below.
We have not previously experienced a cybersecurity incident that has materially affected HGV, including our business strategy, results of operations, or financial condition. However, we cannot be certain that we will not experience such an incident in the future. For information on risks we face from cybersecurity threats, see “Our increasing reliance on information technology and other systems subjects us to risks associated with cybersecurity. Cyber-attacks or our failure to maintain the security and integrity of company, employee, associate, customer, or third-party data could have a disruptive effect on our business and adversely affect our reputation and financial performance” in Item 1A. Risk Factors.
Cybersecurity Governance
Management Level Governance
Our cybersecurity efforts are led by the Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”). The CISO has primary management-level responsibility for assessing and managing our cybersecurity program. The CISO reports to the CTO, who provides regular feedback to other members of the management team on managing material risks from cybersecurity threats.
Our CISO has over 25 years of experience in the field of cybersecurity. His background includes extensive experience as a technology consultant. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.
Our CTO has extensive experience designing, developing, and utilizing technology products for security operation center services. His technical responsibilities spanned product security, privacy controls, data protection, and identity management. He has also overseen security operations, incident response, threat hunting, security intelligence, analytics, and technical fraud functions and worked with legal response teams at numerous companies, including serving as a Managing Director of a cybersecurity firm. He has advised chief information officers and consulted for boards of directors on cybersecurity related issues and attacks.
Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program on information security. He is also responsible for keeping HGV apprised of the latest developments in cybersecurity, including potential threats and innovative risk management techniques. We believe this ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan.
47
This plan includes immediate actions designed to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Board Level Governance
The Audit Committee has primary Board-level responsibility for oversight of our cybersecurity and data protection risks. and serves as a liaison between management and the full Board. The Audit Committee receives regular reports from our CTO and CISO regarding the primary cybersecurity risks facing HGV, and the steps management is taking to mitigate such risks. The CISO and the CTO provide comprehensive briefings to the Audit Committee on a regular basis, generally at least once per quarter. These briefings include:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity incidents, if applicable; and
•Compliance with regulatory requirements and industry standards.
The Audit Committee also reviews our cybersecurity management strategy and initiatives on a regular basis with our CTO and CISO. Both the Audit Committee and Board will promptly be made aware of any significant cybersecurity incident, as specified in our cybersecurity incident response plan.
Third-Party Engagement
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors, to periodically evaluate and test our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, with the intention of keeping our cybersecurity strategies and processes at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. The cybersecurity program also involves performance of tabletop exercises to test our incident response plan.
Third-Party Oversight
We maintain processes in place to oversee, identify, and mitigate risks from cybersecurity threats related to third-party service providers, including conducting thorough security assessments of third-party service providers before onboarding. We also maintain ongoing compliance monitoring to oversee evolving cybersecurity risks. We generally include minimum information security requirements in our agreements with third-party service providers to address cybersecurity risks.