Booking Holdings Inc. - (BKNG)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We are dedicated to upholding our commitment to our customers, partners, and employees to manage cybersecurity, privacy, and data protection and security risk. Our approach involves various tools, processes, technologies, and controls to identify and manage such risks.
Risk Management and Strategy
Identifying, assessing, and managing cybersecurity risk is generally integrated into our overall risk management systems and processes. The Company's internal audit function, with primary oversight by the Audit Committee, assesses key risks facing the organization across functions and regions. These risks are reviewed and discussed by the Company's management-level risk committee, which is a multi-disciplinary committee including representation from senior management in the finance, internal audit, and legal functions, among others. The risk committee is tasked with ensuring risks, including those related to cybersecurity, are managed and aligning strategic objectives with an appropriate level of risk tolerance.
Our Cyber Risk Management Policy establishes the framework for our cybersecurity risk management and governance. Our security teams operationalize the Policy across the Company and conduct cyber risk identification, assessment, management, monitoring, tracking, and reporting. Our privacy program is built upon the privacy principles of transparency, purpose, control, security, embedded privacy, and accountability. Our privacy teams are responsible for identifying, managing, and reporting on data protection risks. We leverage the National Institute of Standards and Technology (NIST) frameworks for cybersecurity and privacy. The NIST frameworks help us to align our security and privacy functions and provide a risk management approach across the Company. We annually measure our security and privacy program maturity against these frameworks, and engage a third party every other year to assess the current state against these frameworks. The results of these assessments are discussed with the Board and the Cybersecurity Subcommittee of the Audit Committee. In addition, our Global
27
Privacy Advisory Council, consisting of our privacy leaders, leads the development and implementation of strategies to monitor, manage, and remediate privacy risks.
As part of the Company's risk management strategy, we require that all employees complete regular data security and privacy trainings, and conduct phishing tests and specialized training such as secure coding training for our developers. We also maintain a Security Ambassadors program, where employees act as an extension of the Security and Fraud Department to foster a security-focused culture.
Our security teams engage in threat intelligence, predictive modeling, and penetration testing to understand the Company's threat landscape and reduce the risk and impact of cybersecurity incidents. These teams have established procedures for detecting, managing, and remediating cybersecurity incidents, and processes for personnel to escalate incidents within the organization. A cross-functional working group of security, privacy, and legal personnel review significant incidents to determine if further escalation is appropriate. If an incident could be deemed material, it is escalated, and we consult with outside counsel during this assessment as appropriate.
Our internal audit function collaborates with the security teams to participate in an integrated cybersecurity assurance program. The internal audit function also performs its own cybersecurity audits and reviews certain cybersecurity-related practices, such as access controls, as part of their assessment of our internal control over financial reporting. From time to time we have taken steps to improve our practices and remedy deficiencies that have been identified. Our enterprise-wide information security program is also independently assessed every other year by a third party as part of our enterprise risk management, and our Cybersecurity Subcommittee reviews the assessment findings. We seek to advance our program maturity in line with our review and management of cybersecurity risks.
We rely on certain third-party computer systems and third-party service providers, including global distribution systems ("GDSs") and computerized central travel reservation systems in connection with providing some of our services. We also depend upon various third parties to process payments for our transactions around the world. These third party business partners, service providers, and consultants need to access our customer and other data, and connect to our computer networks. We define expected security and privacy requirements through our contracting processes with third parties and we perform third-party cyber risk assessments to monitor the cyber risk management efforts of third parties as needed.
Although we expend significant resources to protect against security breaches, our existing security measures may not be successful in preventing all attacks on our systems. We have experienced cybersecurity incidents and threats, including malware, phishing, partner and customer account takeover attacks, and denial-of-service attacks on our systems. We do not believe these cybersecurity incidents have had a materially adverse effect on our Company, including our business strategy, results of operations, or financial condition. For further discussion, see Part I, Item 1A, Risk Factors - "Information Security, Cybersecurity, and Data Privacy Risks."
Governance
The Board and Audit Committee maintain responsibility for enterprise risk oversight related to cybersecurity, privacy, and data protection and security. The Audit Committee has delegated the primary responsibility for oversight of compliance and risk management efforts and processes related to these matters to the Cybersecurity Subcommittee, which was established in 2023 and is comprised of independent directors. The Cybersecurity Subcommittee oversees management's efforts and processes to identify, assess, manage, and monitor significant cybersecurity and privacy risks and regulatory developments in this area. Our cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the Company's cybersecurity and data protection risk exposures, including the steps management has taken to monitor and manage such exposures and their potential impact on the Company's business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and Board.
The individuals serving in the roles of chief security officer and chief privacy officer have enterprise-wide responsibility for assessing and managing cybersecurity, data protection and security, and privacy risks, respectively. These leaders collectively have over 25 years of relevant work experience in public companies and extensive industry expertise.
28