Light & Wonder, Inc. - (LNW)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have developed, implemented and maintained robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. These measures are included within our overall risk management process. As part of this process, all detected cybersecurity threats and incidents are logged and escalated to the Chief Information Security Officer (“CISO”) and Chief Compliance Officer, who report to our Chief Legal Officer.
We follow a formal cybersecurity incident response policy, which provides for use of third-party service providers where circumstances dictate it is necessary. Our cybersecurity incident response policy is aligned with the standards set forth by the International Organization for Standardization (“ISO”) and the National Institute of Standards and Technology (“NIST”), and it includes proactive steps to prepare for attempts to compromise our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats and to protect against, detect and respond to cybersecurity incidents, we undertake the below activities:
•closely monitor emerging data protection laws and implement changes to our processes designed to comply;
•undertake an annual risk assessment and review of our consumer facing policies, business changes and statements related to cybersecurity, or more frequently as needed;
•proactively inform our customers of substantive changes related to customer data handling;
•conduct annual customer data handling and use requirements training for all our employees and contingent workers;
•conduct annual cybersecurity management and incident training for employees and contingent workers involved in our systems and processes that handle sensitive data;
•conduct regular phishing email simulations for all employees and all contingent workers with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
•through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data in accordance with local laws and regulations;
•run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; and
•use an internal well-tested incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident.
Where circumstances dictate the use of third-party service providers, such services include regular assessments of our cybersecurity program including cyber maturity assessments and penetration tests; evaluation and approval of our critical business partners and vendors; and participating in incident response processes. As part of our cybersecurity incident response policy, we identify, evaluate and mitigate any risks posed from engaging with any third-party service provider. In 2023 we did not experience any cybersecurity incident that materially affected or was reasonably likely to materially affect our operations, business, results of operations, cash flows or financial condition.
45
Governance and Oversight
The Board of Directors is central to oversight of cybersecurity risks. The Board of Directors is composed of members with diverse expertise, including risk management, technology, finance and legal, and they have appropriate access to management and third parties (as deemed necessary), equipping them to oversee cybersecurity risks effectively. Day-to-day cybersecurity monitoring and oversight activities are delegated to management.
Our CISO is primarily responsible for assessing, monitoring and managing cybersecurity risks as well as overseeing employee training programs. Our CISO has served in this role since July 2019, has a Master’s Degree in Information Security from the University of London, has been working in technology risk management since the early 1990s, holds Certified Information Systems Security Professional status and is a member in good standing of the Institute of Electrical and Electronics Engineers (“IEEE”) and the International Information System Security Certification Consortium (“ISC2”). The CISO reports at least annually to the Board of Directors on material cyber risks, including those identified in our business and rising threats, and the current state of L&W’s information security and will continue to do so on a regular basis as needed.
The CISO and his team evaluate quantitative and qualitative factors to determine if a cybersecurity threat or incident needs to be escalated to other members of management and ultimately to the Board of Directors. The factors evaluated include but are not limited to: actual or potential monetary damages, number of impacted employees or customers, nature of the records compromised, potential impact on customer relationships, public knowledge and likely effect on L&W’s reputation. Depending on the severity of the impact on these factors, management, including the CISO, Chief Compliance Officer, Chief Accounting Officer (“CAO”) and Chief Legal Officer, meets as part of a management committee to determine if an incident is material. In the event the management committee determines that a cybersecurity incident or threat is material, the incident or threat is elevated and reviewed with our Board of Directors. The management committee reports all incidents requiring a materiality assessment to the Chief Legal Officer, regardless of whether such committee ultimately determines a cybersecurity incident to be material.
For additional information regarding how cyber security threats could materially affect or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see the risk factors captioned “Our success depends on the security and integrity of the systems and products we offer, and security breaches, including cybersecurity breaches, or other disruptions could compromise our information or the information of our customers and expose us to liability, which would cause our business and reputation to suffer,” “We rely on information technology and other systems, and any failures in our systems or errors, defects or disruptions in our products and services could diminish our brand and reputation, subject us to liability and have disrupted and could disrupt our business and adversely impact our results,” and “If we or a company we acquire sustains cyber-attacks or other privacy or data security incidents that result in security breaches, we could suffer a loss of sales and increased costs, exposure to significant liability, reputational harm, regulatory fines or punishment and other negative consequences” under the heading “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K for additional information.