WW INTERNATIONAL, INC. - (WW)
10-K Filing Date: February 28, 2024
In the ordinary course of business, we provide proprietary content and we collect, store and use confidential information (including, but not limited to, personal customer information and data) in connection with providing our products and engaging our employees and contractors. We have developed systems and processes designed to protect such content and information and we maintain cybersecurity insurance coverage. Our Board of Directors (the “Board”) and management recognize the critical importance of protecting the confidentiality and integrity of such information and data and maintaining the trust and confidence of our members, business partners, employees, contractors and shareholders, as well as complying with applicable regulatory requirements and contractual obligations.
The Board and its committees actively oversee the Company’s risk management program. Cybersecurity threats and related risks are an important component of the Company’s overall approach to enterprise risk management (“ERM”). We annually examine our cybersecurity program with third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology (NIST), as guidelines. Cybersecurity risk management is a Company-wide initiative. In general, the Company seeks to address cybersecurity risks through a comprehensive, multi-disciplinary approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Risk Management and Strategy
As one of the elements of the Company’s overall ERM program, the Company’s cybersecurity program includes the following key areas:
37
The Company engages in the regular evaluations of the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including tabletop exercises and vulnerability testing, focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on certain of our cybersecurity measures, including audits and penetration testing. For example, we annually engage qualified third-party auditors to independently assess and attest to and/or provide certifications of compliance with the HIPAA Security and Privacy Rule, SOC2 Type 2, the Payment Card Industry Data Security Standard (PCI-DSS), and UK CyberEssentials. The results of such assessments, audits and reviews are presented to the Audit Committee and members of the Board, as appropriate, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on such assessments, audits and reviews.
Governance
The Board, in coordination with the Audit Committee, oversees the Company’s ERM process. The Audit Committee oversees our cybersecurity program, as well as the steps management has taken to monitor and control cybersecurity threats and related risks. This oversight includes receiving reports on the regular assessments of the Company’s disclosure controls and procedures to ensure that current practices account for material cybersecurity risks facing the Company. The Audit Committee receives presentations on the cybersecurity program and related risks on at least a quarterly basis. These presentations address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and third parties. The Audit Committee, and the full Board as necessary, also receive prompt and timely information regarding any cybersecurity incident that meets recognized established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Audit Committee routinely meets with our Chief Technology Officer (“CTO”) and CISO as well as outside experts as appropriate to assess cybersecurity risks and to evaluate the status of the Company’s cybersecurity efforts, which include a broad range of tools and training initiatives that work together to protect the data and systems used in our businesses.
Our cybersecurity management team includes our CISO and Director of Security Operations, Data Privacy Officer, CTO, Chief Financial Officer, General Counsel, and Head of Internal Audit. The CISO, in coordination with the team, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. The cybersecurity management team meets regularly to review cybersecurity and data privacy strategy, receive updates, and consider the Company’s current risk posture. The team meetings also build leadership consensus on cybersecurity risk management and tolerance. In the event they become aware of a cybersecurity threat or incident, employees are expected to follow established lines of communication to notify the relevant members of the cybersecurity management team and allow the relevant team members to coordinate the evaluation and response to such threats and incidents as necessary. To facilitate the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the rest of the cybersecurity management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to other members of senior management and the Audit Committee when appropriate. Such plans also dictate notification responses to Company management based on the severity of the incident.
The CISO and Director of Security Operations has worked in the information security field for over 15 years and holds an undergraduate degree in computer systems management and master’s degrees in both cybersecurity and technology management. He has also attained multiple cybersecurity-related professional certifications and licenses, including Certified Information Systems Security Professional, and is an adjunct professor of cybersecurity at New York University and Fordham University. The CTO holds a master’s degree in microengineering and has served in various leadership roles in computer engineering for more than 20 years.
38
While we have experienced cybersecurity incidents in the past, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, financial condition, cash flows or reputation. However, cybersecurity threats and/or incidents could have a material effect on the Company. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For additional information regarding the cybersecurity risks we face, see “Item 1A. Risk Factors— Risks Related to Technology, Security and Intellectual Property” of this Annual Report on Form 10-K.