Red Rock Resorts, Inc. - (RRR)

10-K Filing Date: February 21, 2024
ITEM 1C.CYBERSECURITY
We rely on our technology infrastructure and information systems to operate our gaming and non-gaming facilities, interact with customers, employees, utilize our data, support and grow our customer base, and bill, collect, and make payments. Our technology infrastructure and information systems also support and form the foundation for our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed systems and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means.
We have implemented robust processes to assess, identify, and manage cybersecurity risks, including potentially material risks, related to our internal information systems and our products. Our Board of Directors has direct oversight of our management of cybersecurity risks.
The Board of Directors receives an evaluation of cybersecurity risks, which includes detailed descriptions of the actions we have taken to accept, transfer, or mitigate these risks and an analysis of cybersecurity threats and incidents across the industry. The Board of Directors reviews the evaluation on an annual basis. Management will provide a comprehensive update to the Board of Directors on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant.
Our Chief Information Security Officer reporting to our Chief Information Officer as well as the Chief Financial Officer is a twenty four year industry veteran, with 10 years of business operations experience and 14 years of technology experience including six years directly in cybersecurity. The Chief Information Security Officer has principal responsibility for assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for the Board of Directors on a regular basis. These updates contain information such as key performance indicators, National Institute of Standards and Technology (“NIST”) Cybersecurity Framework status, cybersecurity road map status, and current events and issues.
Our Director of Cyber Security reports to our Chief Information Security Officer as well as our Chief Information Officer and is responsible for the operation of our cybersecurity program. Our Director of Cyber Security has 30 years of combined information technology experience with ten of those years working in the cybersecurity field as both an engineer and a director.
35



 
We have adopted the NIST Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory monthly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises, throughout the organization. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats.
When we experience a cybersecurity incident, our Chief Information Security Officer or Chief Information Officer will inform our Senior Leadership and/or the Board of Directors, Computer Security Incident Response Team, which will then evaluate and assess the nature and materiality of the incident to the Company, in general, its information technology infrastructure and data integrity, and whether the cybersecurity incident should be reported to the Board of Directors in advance of or external to the next regular cybersecurity update. Once a cybersecurity incident is reported to the Board of Directors, the Board of Directors, with the input of the Chief Information Security Officer and Chief Information Officer, will determine how to address it.
We engage subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify and manage potential and actual cybersecurity threats, to actively monitor our systems internally using widely accepted digital applications, processes, and controls, and to provide forensic assistance to facilitate system recovery in the case of an incident. The Chief Information Security Officer oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any.
If there is a cybersecurity incident, we may suffer interruptions in service, loss of assets or data, or reduced functionality. Security breaches of our systems may allow inappropriate access to or inadvertent transfer of information and misappropriation or unauthorized disclosure of confidential information. Though we take steps to ensure our products and/or software are secure, it is possible that a cybersecurity incident could result in the loss or compromise of critical data. If a guest alleges that a cybersecurity incident causes or contributes to a loss or compromise of critical data, whether or not caused by us, we could face harm to our reputation and financial condition and regulatory repercussions. A cybersecurity incident could materially harm our reputation and financial condition and cause us to incur legal liability and increased costs to respond to such events. See Item 1A. Risk Factors— Business, Economic, Market and Operating Risks—Failure to maintain the integrity of our internal or customer data, including defending our information systems against hacking, security breaches, computer malware, cyber-attacks and similar technology exploitation risks, could have an adverse effect on our results of operations and cash flows, and/or subject us to costs, fines or lawsuits.