Norwegian Cruise Line Holdings Ltd. - (NCLH)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Our Board of Directors and management team recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. Our cybersecurity risks are considered individually as part of our enterprise risk management program alongside other risks, and prioritized and discussed with our Board of Directors.

Our internal Security Operations Center (“SOC”) has primary responsibility for assessing, identifying, and managing material risks associated with cybersecurity threats, and provides information security monitoring for both shoreside and shipboard information systems and applications. The SOC is a team comprised of cybersecurity professionals who are responsible for real-time incident response management for our IT infrastructure, which includes our websites, applications, databases, servers, network devices and components and workstations. They are trained and equipped to identify, contain, analyze and investigate any perceived security threats as well as assist internal users with any information security questions or reported issues, such as phishing/scam emails, information security concerns and security solution related access or performance issues.

As part of our cybersecurity program, team members are offered cybersecurity training and participate in awareness programs including phishing simulation exercises, regular cybersecurity newsletters and reminders and programming and events during cybersecurity awareness month.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to our customer, prospect, supplier or employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We generally require that third-party service providers that access, host our data, or could otherwise introduce cybersecurity risk to us, enter into contracts that obligate them to manage their cybersecurity risks in certain ways and report any cybersecurity incidents to us.

We engage third-party advisory firms to conduct assessments of the maturity of our security program and, among other measures, work to be Payment Card Industry (“PCI”) compliant where required. We also maintain incident response procedures and business continuity and contingency plans and periodically hire third parties to conduct vulnerability analyses. We also compare our processes to standards set by the National Institute of Standards and Technology (“NIST”) and/or International Organization for Standardization (“ISO”), as appropriate.

Governance

The Technology, Environmental, Safety and Security (“TESS”) Committee of our Board of Directors oversees our programs and policies related to data protection and cybersecurity and receives updates on related risks from our Chief Information Security Officer on at least an annual basis, and more often as the circumstances require. The Audit Committee of our Board of Directors also receives updates, at least annually, from our Chief Information Officer and/or Chief Information Security Officer regarding cybersecurity and other information system compliance matters that may pose risks to our financial reporting or operations.

Our Chief Information Security Officer is responsible for our overall data security and cybersecurity risk reduction efforts, including information security compliance, training and awareness and application, network and system security. Our Chief Information Security Officer has 25 years of prior experience in the fields of information systems, cybersecurity, risk management, and infrastructure management. Our Chief Information Security Officer holds master’s and bachelor’s degrees in both Computer Information Systems and Business Administration and the following certifications: Certified Internal Controls Auditor (CICA), Payment Card Industry Professional (PCIP), Certified

48

Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC).

We discuss risks related to cybersecurity threats under the heading “Breaches in data security or other disturbances to our information systems and other networks or our actual or perceived failure to comply with requirements regarding data privacy and protection could impair our operations, subject us to significant fines, penalties and damages, and have a material adverse impact on our business, financial condition and results of operations” included as part of our risk factor disclosures in Item 1A of this Annual Report, which disclosures are incorporated by reference herein. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business, including our business strategy, results of operations, or financial condition and any expenses we have incurred from cybersecurity incidents were immaterial.