Life Time Group Holdings, Inc. - (LTH)

10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY
The operation, integrity and security of our systems and the security of our data and the data of our members, guests and employees is critical to us. We have therefore developed and maintain a cybersecurity program designed to safeguard our systems from unauthorized access and to protect the confidentiality, integrity and availability of our data and the data of our members, guests and employees from external and internal threats.
Risk Management and Strategy
We take a risk-based approach with our cybersecurity program that has been designed in accordance with the National Institute of Standards and Technology (“NIST”) cybersecurity framework. Our program focuses on a variety of potential material risks including operational (including unauthorized access), financial, reputational and compliance-related. We analyze these risks based on numerous factors and also weigh their likelihood and potential impact. This analysis is led by our Chief Digital Officer and Chief Information Security Officer as detailed below under “—Governance.” Additionally, we have identified cybersecurity as a credible technology-related risk under our enterprise risk management (“ERM”) program. Our Chief Digital Officer is the owner of our technology risks and is therefore charged with executing controls to monitor and mitigate cybersecurity risks through people, processes and technology. Our ERM Committee is comprised of Company leaders and meets at least quarterly to consider, among other matters, the effectiveness of the risk monitoring and mitigating and the expected frequency, severity and trend of our credible risks including cybersecurity.
We seek to continuously improve our program within the NIST framework based on our risk assessment as well as our business needs and industry trends. We also apply administrative, operational and technical security controls to handle and process our data and the data of our members, guests and employees in a responsible and secure manner, including through various internal policies and standards governing information security. We leverage the expertise and advice of third parties to conduct audits, assessments, tabletop exercises, penetration testing and other reviews to assist us in identifying and implementing improvements to our cybersecurity program and aligning it with the NIST framework and our overall ERM program.
Our cybersecurity program includes ongoing vulnerability and risk management processes along with a managed security service provider that utilizes a detection and response solution to provide us with 24/7/365 monitoring and alerting. We have developed an incident response plan that is designed in accordance with the NIST framework to facilitate (1) identification and containment of any cybersecurity incidents; (2) remediation of identified vulnerabilities; (3) mitigation of disruption to critical information systems; and (4) assessment of what occurred, notification of affected individuals as necessary and mitigation of consequences that may arise from any unauthorized access. This plan also identifies and describes the roles and responsibilities of our incident response team, including investigation and escalation as appropriate up to and including our Audit Committee or Board of Directors.
Our cybersecurity program also addresses risks associated with third-party service providers who may access or integrate with our systems and data. Our processes include having such third parties complete a cybersecurity questionnaire, agree to appropriate contractual obligations and provide annual evidence of their compliance where applicable.
While we experience cybersecurity threats during the normal course of business, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us and we do not believe are reasonably likely to materially affect us, including with respect to our business strategy, results of operations and financial condition.
27

 
Governance
Our Board of Directors oversees risk management of our business and accomplishes this oversight primarily through the Audit Committee. Our Audit Committee discusses the Company’s policies with respect to risk assessment and risk management, including guidelines and policies to govern the process by which the Company’s exposure to risk is handled. As part of this process, our Audit Committee oversees our ERM program including risks related to privacy, data and information security, including cybersecurity. Management presents to the Audit Committee at least annually on our cybersecurity program and risks related thereto, and then the Audit Committee reports on that presentation to our Board of Directors. The presentations may address (1) the current cybersecurity landscape and emerging threats; (2) the status of ongoing cybersecurity initiatives and strategies; (3) incident reports and learnings from any cybersecurity incidents; and/or (4) compliance with regulatory requirements and industry standards. In addition, our executive team may report specific cybersecurity incidents to the Audit Committee or Board of Directors outside of a regularly scheduled meeting based on the impact of the incident. Our internal escalation process is set forth in our incident response plan.
Our Executive Vice President and Chief Digital Officer is our executive team member responsible for our cybersecurity program and our Chief Information Security Officer (“CISO”) leads the program. Together they provide updates to the ERM Committee and present to our Audit Committee at least annually. In addition, we have established an incident response team comprised of a cross-functional group of team members who manage our response to any cybersecurity incident pursuant to our incident response plan.
Our CISO has an undergraduate degree in Management Information Systems, decades of cybersecurity and technology experience and broad industry-wide experience, including in hospitality, retail, medical, energy and government. Members of our cybersecurity team have over 100 years of combined cybersecurity experience and hold professional certifications from security organization such as ISC2 and SANS Institute that include Certified Information Systems Security Professional (CISSP), GIAC Web Application Penetration Tester (GWAPT), GIAC Penetration Tester (GPEN), GIAC Certified Intrusion Analyst (GCIA) and GIAC Certified Forensic Analyst (GCFA). Our cybersecurity team also stays informed on the latest developments in cybersecurity, including trends, risks, threat vectors and attack mechanisms, through security and compliance-related seminars, conferences, continuing education training, news feeds and forums and our CISO sits on various CISO committees and roundtables. Our CISO’s knowledge and experience, coupled with the expertise and advice we receive from third parties, are instrumental in assessing and managing our cybersecurity program, including our strategy, security engineering, security operations, cybersecurity awareness and training, information technology governance and compliance, and cyber threat identification, assessment, management, mitigation and response.