ROYAL CARIBBEAN CRUISES LTD - (RCL)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Securing the Company’s business information, intellectual property, customer and employee data and technology systems is essential for the continuity of our businesses, meeting applicable regulatory requirements and maintaining the trust of our various stakeholders. Cybersecurity is an important and integrated part of the Company’s enterprise risk management function that identifies, monitors and mitigates business, operational, financial and legal risks.
We have developed a cybersecurity program designed to protect and preserve the confidentiality, integrity and continued availability of all information we own or process against risks from cybersecurity threats. Using a risk-based prioritization approach, the cybersecurity team focuses on securing our high value assets, updating our cybersecurity detection and prevention capabilities to identify new threats, and maturing the compliance processes to protect the Company’s operations and data.
Risk Management and Strategy
We have implemented policies, programs and controls and invested in cybersecurity technologies that focus on assessing, monitoring, and managing our cybersecurity risks. These include, but are not limited to: maintaining comprehensive cybersecurity policies and practices; augmenting our organization with a global cybersecurity operation center that monitors cyber threats 24-hours a day on a year-round basis; new surveillance technologies to proactively identify threats and improve the Company’s cyber defense capabilities; implementing enterprise-wide cybersecurity training, anti-phishing and awareness programs for our employees and crew members; and conducting cyber simulations with various teams across the Company as well as with management to evaluate our response approach. We have also implemented comprehensive processes designed to identify and oversee risks from cybersecurity threats associated with our third-party service providers, which include security assessments on our suppliers and vendors and continuous monitoring of cyber threats. Our cybersecurity program is based on recognized best practices and standards for cybersecurity, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We conduct regular third-party assessments of our cyber risk management program.
We also conduct a periodic assessment of cybersecurity risk as part of broader enterprise risk management (ERM). This assessment includes an evaluation of the Company’s processes to identify and respond to cyber risks and the effectiveness of the Company’s lines of defense. Given the complexity and evolving nature of cybersecurity threats, we leverage both internal cyber analytics and external sources of threat intelligence (including assessors, consultants, and other third parties) to evaluate our cyber risks and to properly adjust our risk mitigation approach. We also maintain controls and procedures that are designed to evaluate cyber risks on an ongoing basis. These processes include prompt communication of certain cybersecurity incidents to the Company’s executives, internal committees and the Board as needed, so that any needed external reporting can be made by management and the Board in a timely manner.
Our policies require each of our employees to contribute to our data security efforts. We regularly educate our employees about the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats.
As of the date of this report, we are not aware of any risks from cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For additional description of cybersecurity risks and potential related impacts on the Company, refer to Item 1A. Risk Factors - "We are exposed to cyber security attacks and data breaches and the risks and costs associated with protecting our systems and maintaining data integrity and security."
Governance
Our cybersecurity program is led by our Chief Information Officer (CIO) and the Chief Information Security Officer (CISO). They are supported by Information Security Officers who work closely with our operational teams. Our CIO and CISO have more than 35 years of collective experience in the cybersecurity field. The CISO reports to the CIO and is generally responsible for management of cybersecurity risk and the protection and defense of our networks and systems. The CISO has served in similar roles at three major public companies and is a recognized cybersecurity leader. He regularly engages with peer CISOs, cybersecurity experts and organizations, including the Cloud Security Alliance (CSA) and the NIST, to stay informed on the latest industry developments. The CISO regularly informs our internal Disclosure Committee, Chief Financial Officer, and our President and Chief Executive Officer of cybersecurity risks and incidents as per our internal cyber risk framework. This also helps ensure that the highest levels of management are kept abreast of our cybersecurity posture and potential risks.

22


Our Board, in coordination with the Audit Committee, is actively engaged in reviewing management's processes for assessing and managing cybersecurity risks. The Board reviews cybersecurity at least annually. The Audit Committee directly oversees the Company’s management of cybersecurity risks. On a quarterly basis or as needed, the Audit Committee receives updates from management (including the CIO and CISO) on cybersecurity risks resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. In addition, the Chair of the Audit Committee regularly informs the Board of the outcome of the Audit Committee's reviews at scheduled Board meetings.