Ryman Hospitality Properties, Inc. - (RHP)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

We have strategically integrated cybersecurity risk management into our broader enterprise risk management function to promote a company-wide culture of cybersecurity risk management. Our board of directors has general oversight responsibility for our enterprise risk management function, which includes specific areas of focus including competitive, economic, operational, financial (accounting, credit, liquidity and tax), legal, compliance, information technology security programs (including cybersecurity), ESG/corporate social responsibility, political and reputational risks. Our board of directors has delegated oversight of certain of these areas to the committees of our board of directors, including delegating the oversight of our information technology security programs (including cybersecurity) to the audit committee of our board of directors (the “Audit Committee”). We believe this division of risk management-related roles to the committees of our board of directors fosters an atmosphere of significant involvement in the oversight of risk at the board level and complements our risk management policies. The oversight responsibility of our board of directors is facilitated by a management report process that is designed to provide both visibility and transparency to our board of directors about the identification, assessment and management of critical risks and management’s risk mitigation strategies.

Our risk management team, which includes members of senior management, including our Chief Financial Officer (“CFO”), Chief Information Officer (“CIO”) and General Counsel, as well as external consultants, works closely with our information technology department (“IT Department”) to continuously evaluate and address cybersecurity risks relevant to our business and operations. In addition, we have set company-wide policies and procedures that directly or indirectly relate to cybersecurity matters, such as policies related to encryption standards, antivirus protection, access removal, multifactor authentication, confidential information or use of the internet, social media, email and wireless devices. These policies go through an annual internal management review and approval process.

Our CIO and our Vice President of IT (“VP of IT”) are primarily responsible for our overall information security, strategy, policy, security engineering, operations and cybersecurity threat detection and the management of cybersecurity risks. Our CIO and VP of IT, collectively, have over fifty years of experience working in the information technology and cybersecurity field and have extensive experience assessing and managing cybersecurity and information technology programs and cybersecurity risk. Our CIO and VP of IT hold degrees in the information technology and cybersecurity fields, as well as hold certain cybersecurity and other relevant technology certifications. The CIO meets with our Chief Executive Officer (“CEO”), on a weekly basis, and the CFO, on a monthly basis, to discuss all relevant business risks, including cybersecurity risks and threats. In addition to regular reports from our CIO and vice president of internal audit regarding our program for managing our information security risks, including data privacy and protection risks we face, the CIO and VP of IT also meet quarterly with the Audit Committee to inform them of current cybersecurity risks and threats, as well as cybersecurity enhancement projects. Our full board of directors receives an annual update regarding the current cybersecurity environment from our CIO, which may include presentations from external consultants. Our Enterprise Risk Management (“ERM”) committee, which includes several members of senior management, including our CFO, our CIO, and a Certified Information Systems Auditor, also presents all of our top organizational and operational risks, including information security-related risks, focus areas and accomplishments throughout our various businesses, to our board of directors on a quarterly basis.

Our IT Department management team meets monthly to assess and review cybersecurity status, which includes dashboard reviews, operational risks and company compliance. Annually, our internal audit group and third-party consultants meet with our IT Department to perform risk assessment walkthrough meetings, discuss potential enhancements, materiality of risks and alignment with the Center for Internet Security Critical Security Controls framework. In addition, we engage third-party consultants to perform annual red team exercises and external penetration tests.

We promote a culture of cybersecurity compliance throughout our organization, including required monthly cybersecurity training for all employees with company accounts and annual training for service-related employees on

38

cybersecurity related topics, including social engineering (e.g., phishing, vishing and smishing), ransomware, denial of service or information, and other security breach tactics. We conduct quarterly ERM discussions where top risk owners discuss how risks have changed and how such risks are being addressed with approaches designed to mitigate such risks.

In addition to assessing our own cybersecurity preparedness and as part of our overall cybersecurity risk management framework, we also consider and evaluate cybersecurity risks associated with our use of third-party service providers. We perform a formal System and Organization Controls (“SOC”) review process annually on our financially significant third-party service providers, which includes our internal assessment of complementary user entity controls. All other material third-party service providers undergo assessment as a contract is entered into or renewed to ensure cybersecurity alignment. Our internal audit group meets regularly with management team members of Marriott, our third-party hotel manager, to assess security applications compliance. We also regularly meet with management team members of Marriott to understand system upgrades, changes and associated risks with third-party manager applications. In addition, we generally require our third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations.

In assessing cybersecurity threats, our IT Department has established controls and procedures for responding to cybersecurity incidents, including a process to evaluate the significance of a cybersecurity incident. Members of senior management, including our General Counsel and CFO, are tasked with performing a materiality assessment in the event of a cybersecurity incident, which includes the consideration of relevant quantitative and qualitative factors, as well as SEC guidance. Based on the results of this evaluation, further escalation of the cybersecurity event may occur, which may include our CEO, our board of directors and/or law enforcement. In addition, members of senior management will determine, based on the assessment described above, whether the cybersecurity incident requires disclosure with the SEC.

We or our third-party manager currently maintain a cybersecurity insurance policy that provides coverage for security incidents and periodically meet with our insurer to discuss emerging trends in cybersecurity. We do not believe that any risks we have identified to date from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, notwithstanding the programs, policies and procedures described above, there can be no assurance that we or businesses with which we interact will not experience a cybersecurity incident that materially affects us in the future. For more information about the cybersecurity risks we face, see the risk factor entitled “Cybersecurity incidents, including the failure to protect the integrity or availability of IT systems or the security of confidential information, or the introduction of malware or ransomware, could harm our business.” in Item 1A. Risk Factors of Part I of this Annual Report on Form 10-K.