Hyatt Hotels Corp - (H)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, including guest information.
We design and assess our security program using an internally-developed risk management framework based on recognized industry security standards. The framework is the basis for our cybersecurity policy, cybersecurity standards, and our processes for managing exceptions to those policies. Additionally, a third-party assessment of our framework maturity is performed regularly by a professional advisory firm with cybersecurity expertise. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use recognized standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
52


Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program includes:
a cybersecurity department principally responsible for (i) our cybersecurity risk assessment, management, and compliance processes, (ii) development and maintenance of our security controls, and (iii) our monitoring for and response to cybersecurity incidents;
engagements with external professionals and internal subject matter experts designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment, including, but not limited to risk and compliance assessments, security scanning and testing, and periodic updating of our risk management framework;
the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls, including, but not limited to cybersecurity tools and technology, cybersecurity services, threat intelligence information, professional services consulting, and contract staff augmentation;
training of our employees in cybersecurity awareness and payment card compliance and additional training for cybersecurity personnel, software developers, and senior management in cybersecurity-related topics including, but not limited to, incident response, secure software development, and training commensurate with job responsibilities;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management program designed to evaluate the cybersecurity capabilities of new and existing centrally-managed vendors based on their criticality to our business and risk profile.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. See Part I, Item 1A, "Risk Factors—Risks Related to Our Business—Cyber risk and the failure to maintain the availability or security of our systems or customer, colleague, or Company data could adversely affect our business, harm our reputation, and/or subject us to costs, fines, penalties, investigations, enforcement actions, or lawsuits."
Cybersecurity Governance
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. Our board of directors and the Audit Committee receive periodic reports from our Chief Information Security Officer ("CISO") on our cybersecurity risks. In addition, our CISO updates the Audit Committee, as necessary, regarding significant cybersecurity incidents or updates.
The Audit Committee reports to the full board of directors regarding its activities, including those related to cybersecurity. The full board of directors also receives periodic briefings from management on our cyber risk management program. From time to time, board members receive presentations on cybersecurity topics from our CISO, internal cybersecurity personnel, and/or external experts as part of the board of directors' continuing education on topics that impact public companies.
Our cybersecurity department, comprised of various levels of management and led by our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. The cybersecurity department has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants and suppliers. In addition, our cybersecurity department provides reporting to our Risk Council that is led by our Senior Vice President of Internal Audit and is comprised of certain members of management from diverse functional areas and business units, including risk, finance, legal, accounting, tax, operations, cybersecurity, privacy, human resources, and environmental sustainability. The Risk Council is responsible for identifying, assessing, prioritizing, and monitoring critical risks of the Company. The Risk Council meets quarterly and assesses risks based on potential impact to the Company, both in terms of inherent risk, or the risk exposure without consideration for how the Company manages the risk, as well as residual risk, or the risk exposure remaining after consideration of the Company's existing risk mitigation efforts. The Risk Council periodically reports to the board of directors and the Audit Committee regarding the Company's risk management processes and procedures.
53


Our CISO and cybersecurity department collectively possess relevant expertise in cybersecurity architecture, engineering, governance, risk management, and compliance, operations, vulnerability management, third party risk management, threat intelligence, and cloud security areas. Our CISO and cybersecurity department personnel are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through various means, which include briefings with internal security personnel and external consultants and information from governmental, private, and industry threat intelligence sources, as well as through alerts and reports produced by security tools and technologies deployed in and around the information technology environment.
54