Churchill Downs Inc - (CHDN)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
We maintain a comprehensive process for detecting, assessing, and managing material risks from cybersecurity threats as part of our overall enterprise risk management system and processes. Our Chief Technology Officer (“CTO”) oversees our Chief Information Security Officer (“CISO”) and a dedicated team of information security professionals who are responsible for our cybersecurity risk management program. Our CTO oversees our information security professionals’ efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents and the efforts for assessing and managing our material risks from cybersecurity threats. Our cybersecurity risk management program includes technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools, and related services from third-party providers. Our CTO has over twenty years of extensive experience in information technology and security.
We use the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF") as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not mean that we meet any particular technical standards, specifications, or requirements of the NIST CSF. We routinely engage consultants and other third parties to assist with our cybersecurity risk management, including third-party penetration tests of our various information technology environments. As part of our current due diligence review and contracting process with third-party vendors that may have access to our data or systems, we perform an information security review of the vendor’s program and require such contracts to include certain minimum-security safeguards and notification requirements, where applicable. We also carry cybersecurity insurance with coverage for costs associated with a cybersecurity incident.
We have an established incident response plan to address and guide our employees and management on our response to a cybersecurity incident. The Company has two management committees that assist with cybersecurity incidents and risk management. These committees consist of senior leadership and cross-functional members from across our organization. The Consumer Data Privacy Committee assists with identifying and managing consumer data privacy issues. The Cybersecurity Disclosure Committee (“CD Committee”) assists senior management in fulfilling their responsibilities for oversight of the accuracy and timeliness of disclosures made by the Company in response to cybersecurity incidents and vulnerabilities. In the event a potentially significant cybersecurity incident is identified by our information security team, such incident is reported to the CD Committee to consider applicable disclosures, with the assistance of outside counsel as needed. In addition, senior
26
leadership prepares an enterprise risk management report identifying and evaluating enterprise risks, including cybersecurity risks, which is regularly presented to the Audit Committee.
Our executive leadership team, along with oversight from the Audit Committee of the Board of Directors, are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the Company. The Audit Committee oversees the processes by which management assesses the Company’s exposure to cybersecurity risks and evaluates the guidelines and policies governing the Company’s monitoring, control, and minimization of such risks. Our CTO regularly reports to the Audit Committee regarding cybersecurity matters.
For additional information concerning cybersecurity risks we face, refer to Part I, Item 1A, Risk Factors.