Park Hotels & Resorts Inc. - (PK)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Park maintains comprehensive technologies and programs to help ensure our information technology and systems are effective and prepared for data privacy and cybersecurity risks, including oversight of our programs for security monitoring for internal and external threats to help ensure the confidentiality, availability and integrity of our information assets.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Park's Audit Committee oversees its cybersecurity risk assessment, risk management and risk mitigation policies and programs. Park's Enterprise Risk Management ("ERM") Committee reports to the Audit Committee and is responsible for identifying Park's cybersecurity risks. Park also has a dedicated Risk Management team that reports to the ERM Committee, which includes representatives from several departments, external consultants and insurance professionals who interface with brand and management partners to assist with risk mitigation at our properties. Additionally, we have engaged third-party service providers to assist with risk mitigation activities, implementing security monitoring capabilities designed to alert us to suspicious activity, and developing an incident response program that is designed to restore business operations as quickly and as orderly as possible in the event of a cybersecurity incident. Our cybersecurity incident response plan requires prompt notification of senior management in the event of a cybersecurity incident that has affected or is expected to affect the Company and prompt briefings on subsequent developments as appropriate. We have undertaken table-top risk exercises and employees participate in mandatory annual trainings and receive communications regarding the cybersecurity environment to increase awareness throughout the Company. The Company's cybersecurity program is based on the U.S. National Institute for Standards and Technology Cybersecurity Framework. We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and performing additional risk screenings and procedures, as appropriate.
Management and Board Oversight
Our Chief Financial Officer ("CFO") has significant work experience related to information security issues and oversight and is the executive officer that oversees our cybersecurity program, which includes the implementation of controls to identify threats, detect attacks and protect our information assets. Our dedicated ERM Committee, which includes our CFO and certain members of our executive leadership team, provides principal oversight and guidance of our cybersecurity risk management programs and processes. While our Board has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. Our Audit Committee is responsible for reviewing and overseeing the Company's data privacy, information technology and security and cybersecurity risk exposures and the guidelines, programs and steps implemented by management to assess, manage and mitigate any such exposures. The ERM Committee reports to the Audit Committee at least annually on the Company's enterprise risk management and will report security instances to the Audit Committee as they occur, if material.
Cybersecurity Risks
In addition to the reliance on our own information technology systems, we rely on the information technology systems of our hotel managers to protect proprietary and customer information as well as our third-party service providers who support key portions of our operations. Any compromises of our own network or the networks of our hotel managers or third-party service providers could materially affect our business, financial condition and results of operations. For a discussion of our cybersecurity risks, refer to "Part I - Item 1A. Risk Factors - Risks Related to Our Business - Cyber threats and the risk of cybersecurity incidents affecting our information technology systems or the information technology systems of our hotel managers or third-party service providers could materially adversely affect our business" included elsewhere within this Annual Report on Form 10-K. Although we have experienced cybersecurity incidents, to date, none have had a material adverse effect on us. We carry insurance that helps provide protection against the potential losses arising from cybersecurity incidents, although we may incur expenses and losses related to a cybersecurity incident that are not covered by insurance or are in excess of our insurance coverage.
29