MGM Resorts International - (MGM)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
We recognize the importance cybersecurity has to the success of our business. We also recognize the need to continually assess cybersecurity risk and evolve our response in the face of a rapidly and ever-changing environment. Accordingly, we aim to protect our business operations, including customer records and information, against known and evolving cybersecurity threats.
Risk Management and Strategy
The Company’s Internal Audit function conducts an annual Enterprise Risk Management process to identify, assess, monitor and control current and future potential risks facing the Company, which includes cybersecurity risks that are communicated by the Chief Information Security Officer (“CISO”). Significant risks identified during this process are then presented to the Audit Committee. In addition, we have a cybersecurity incident response plan in place that provides a documented framework for handling high and low severity security incidents and facilitates coordination across multiple parts of the business. We also routinely perform attack and response simulations at the technical level, and annually execute tabletop response exercises. Each year, special focus is given to maintaining and improving our alignment with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and Privacy and Payment Card Industry (“PCI”) controls in support of protecting our technology and customer data. We further engage in the periodic assessment and testing of our cybersecurity program.
We also utilize external expertise to perform annual assessments of our entire cybersecurity program, including the cybersecurity program maturity. The results of these annual assessments are reported to the Audit Committee, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments. In addition, we have a Third Party Risk Management Program designed to assess risks associated with third party providers based on the services they provide and the data they have access to.
Cybersecurity risk mitigation processes are integrated into the Company’s Code of Conduct that all employees are required to review. Additionally, all employees with network access receive cybersecurity awareness training.
The Company’s information and data systems have been subject to cybersecurity incidents in the past, including the publicly disclosed September 2023 Cybersecurity Issue. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, there is no guaranty that the Cybersecurity Issue and any further incidents will not have a material impact in the future. See “Cybersecurity litigation, claims, and investigations” in Part II, Item 8, Note 12 to the accompanying consolidated financial statements. Further, policies and procedures designed to manage cyber risks, including those described herein, may not be effective. To learn more about risks from cybersecurity threats, see “Item 1A. Risk Factors - The failure to maintain the integrity of our information and other systems or customer information can result in damage to our reputation, subject us to fines, payment of damages, lawsuits and restrictions on our use of data, and have a material adverse effect on our business, financial condition, and results of operations.” Additional risks and uncertainties not currently known or that may currently be deemed to be immaterial also may materially adversely affect the Company’s business, financial condition, or results of operations.
The Board’s Oversight of Cybersecurity Risk
To ensure thorough oversight of the Company’s cybersecurity policies and processes, the Audit Committee is responsible for overseeing our cybersecurity risk and, pursuant to its charter, establishes and oversees procedures for the Company’s plans to mitigate cybersecurity risks and respond to data breaches. The Audit Committee receives quarterly reports from the CISO on the Company’s cybersecurity risks and enterprise cybersecurity program. The Audit Committee also receives prompt information and periodic updates by the CISO regarding material cybersecurity incidents that meet reporting thresholds. The Audit Committee reports out to the Board as necessary to keep the Board informed of issues or risks relating to the Company’s cybersecurity.
Management’s Involvement in Cybersecurity Risk Oversight
Our CISO continues to enhance our cybersecurity program and leads our efforts to mitigate technology risks in partnership with business leaders. Our CISO conducts regular reviews of the control environment and identifies those risks within the Enterprise Risk Management process to assess, monitor and control current and future potential risks facing the Company. Our CISO has 23 years of expertise in cybersecurity, information security risk management, incident management and response and privacy and has held various roles in information technology and information security throughout their career. The CISO holds various professional certifications, including the Certified Information Security Manager certification from the Information Systems Audit and Control Association and the Certified Information Systems
28
Security Professional from International Information System Security Certification Consortium. The CISO holds a Bachelor’s Degree in Computer Information Systems and a Master’s Degree in Organizational Security Management.
Our CISO reports directly to our Chief Legal and Administrative Officer and Secretary. The CISO closely monitors our cybersecurity program, including our strategy and cybersecurity policies and practices, against the cybersecurity threat landscape. As described above, our cybersecurity incident response plan provides a framework for a multidisciplinary team to prevent, detect, mitigate, and remediate cybersecurity-related risks and incidents. This framework also sets forth parameters for the escalation and reporting of cybersecurity risks and incidents to broader groups at the Company, and the CISO reports information about significant cybersecurity risks and incidents to the Audit Committee on a regular basis and more frequently if warranted under the circumstances.
29