HOST HOTELS & RESORTS, INC. - (HST)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. We design and assess our program using components of the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program is led by our senior vice president of information technology who has over 20 years of experience in information technology development and capabilities. Our cybersecurity risk management program includes the following
31

key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
implementing technologies to proactively monitor vulnerabilities and reduce risk, maintaining security policies and standards, and regularly updating our response planning and protocols;
maintaining business continuity, contingency and recovery plans, including a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
retaining a third-party cybersecurity provider for emergency incident response services;
annual assessments of our cybersecurity risk management program by a third-party security firm, as well as semi-annual vulnerability assessments and penetration testing by external service providers;
cybersecurity awareness training for employees as well as senior management, including quarterly refresher training; and
annual cybersecurity assessments of certain third-party service providers with access to our employee data.
Our cybersecurity risk management program and processes, as described in this section, do not encompass the information technology systems of our third-party managers. As a REIT, we are required to retain third-party managers to run all operational aspects of our hotels, and our hotel managers are dependent on information technology networks and systems that they procure and manage directly or through their own third-party service providers, to access, process, transmit and store proprietary and hotel customer information. We do not have access to these systems or to hotel customer information, and we rely on the security programs, processes and systems of our managers to protect hotel operations and customer information from cybersecurity threats.
As of February 23, 2024, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. While we have not been materially affected by known cybersecurity threats affecting the Company, we and our hotel managers continue to face risks from cybersecurity threats that, if realized, could materially adversely affect us in the future. For more information on the risks related to cybersecurity threats, including threats faced by our hotel managers, see Part 1 Item 1A. "Risk Factors — Cyber threats and the risk of data breaches or disruptions of our managers’ or our own information technology systems, or the information technology systems of third parties on which we or our managers rely, could materially adversely affect our business and results.”
Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. The Audit Committee receives semi-annual updates on topics related to information security and cyber risks and readiness from our management team, including our senior vice president of information technology. Management updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including information security and cybersecurity risks, which are presented to the full Board at least annually as part of the Board's oversight of enterprise risk management.