MARRIOTT VACATIONS WORLDWIDE Corp - (VAC)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
We maintain a cybersecurity program designed to protect our information, and that of our customers, against cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our information systems.
Governance
Board of Directors
Our Board is responsible for overseeing our processes for assessing and managing enterprise risk, including with respect to cybersecurity. The Board considers our risk profile when reviewing our annual business plan and incorporates risk assessment into its decisions.
Our Board has delegated the primary responsibility for oversight of cybersecurity risk to the Audit Committee. The Audit Committee regularly reviews our cybersecurity and data security risks and mitigation strategies. At least twice each year, the Audit Committee receives reports and presentations from members of our team responsible for overseeing our cybersecurity risk management, including our Senior Vice President, Global Information Security (“SVP-GIS”) and our Executive Vice President and Chief Information Officer (“EVP-CIO”), and periodically receives reports and presentations from third parties. These reports may address a wide range of topics, including recent developments, evolving standards, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Audit Committee reports to the Board on data protection and cybersecurity matters. We also have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported to the Audit Committee in a timely manner.
Management
We have implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the escalation of certain cybersecurity incidents.
At the management level, our SVP-GIS is responsible for the assessment and management of risks from cybersecurity threats. Our SVP-GIS has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere and maintains several certifications, including Certified Information Systems Security Professional (“CISSP”) from ISC Squared and Certified Information Security Manager (“CISM”) from the Informations Systems Audit and Control Association (“ISACA”). Our SVP-GIS leads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection policies and practices across our business and reports directly to our EVP-CIO. Our SVP-GIS’s direct reports include a number of experienced information security leaders responsible for various aspects of our security program, each of whom is supported by a team of experienced cybersecurity professionals.
The functions that report to our SVP-GIS include: cybersecurity risk management, Payment Card Industry compliance, and security testing; operation of protective security tools and systems; security monitoring, incident response, and digital forensics; security research and development and support for information technology and security functions.
Our SVP-GIS works closely with our Law Department and regularly engages expert consultants and other third parties to assist with assessing, identifying, and managing cybersecurity risks and to oversee compliance with legal, regulatory and contractual security requirements. The EVP-CIO and SVP-GIS also periodically attend Audit Committee meetings to report on any material developments.
Risk Management and Strategy
We employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. Our processes and systems include automated tools and technical safeguards managed and monitored by our cybersecurity team. We currently carry cybersecurity insurance, however, we cannot assure you that we will be able to maintain such policies in the future or that they will be sufficient to cover all potential cybersecurity events or losses we incur in connection with such events.
40


We require our associates to receive annual training on our information security policies. This may include, but is not limited to, training regarding information classification and handling, data privacy, physical security, phishing, malware and ransomware, social engineering, identifying and reporting information security incidents, and secure credit card handling, as well as additional topics based on job roles and responsibilities. We also maintain written information security policies and procedures that apply to the entire Company and third parties who handle our data or have access to our information technology systems. These policies and procedures establish the framework for our information security program and cover topics such as acceptable use of information systems, security risk management, access management, audit and logging, patching, and security requirements for numerous technologies. These policies and procedures are reviewed at least annually, updated as necessary and integrated into employee training programs and our contracting process. We are also subject to the Payment Card Industry Data Security Standard and we perform an annual self-assessment according to the requirements set forth by the Payment Card Industry Security Standards Council.
Incident Response
We have adopted an Incident Response Plan (the “IRP”) that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company. The IRP is practiced through walkthroughs and tabletop exercises on at least an annual basis.
The SVP-GIS is responsible for maintaining our IRP. Potentially significant threats are escalated to an interdisciplinary data breach response team (the “DBRT”), which is led our EVP-CIO and co-chaired by the SVP-GIS, our head of data privacy and a representative from our Law Department. The DBRT is responsible for oversight and handling of significant security threats, incidents, and issues that involve data loss or operational impact to our business through a documented process. Potentially material cyber events are escalated by our EVP-CIO to executive management and reviewed with members of the Company’s Disclosure Committee.
Material Cybersecurity Risk, Threats & Incidents
Routinely, we partner with and use third-party service providers and products that host, manage, or control sensitive data. We and the companies we work with have experienced cybersecurity threats to our data and systems, including ransomware and other forms of malware and computer virus attacks, unauthorized access, systems failures and temporary disruptions. For example, in June 2018, we identified forged and fraudulently induced electronic payment disbursements we made to third-parties in an aggregate amount of $10 million resulting from unauthorized third-party access to our email system. Risks from cybersecurity threats, including as a result of such previous incident, have not materially affected us, including our business strategy, results of operations or financial condition for the periods covered by this Annual Report, and we do not believe that such risks are reasonably likely to have such an effect over the long term. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Annual Report under the heading “Failure to maintain the integrity of internal or customer data or to protect our information systems from cyber-attacks could disrupt our business, damage our reputation, and subject us to costs, fines or lawsuits,” which should be read in conjunction with the foregoing information.