Travel & Leisure Co. - (TNL)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Our Board and management recognize the importance of maintaining the trust and confidence of our customers, business partners and employees. The Board provides oversight of our risk management program and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, processes, and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and other applicable industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is designed to preserve the confidentiality, security and availability of the digital information that we collect and store by identifying and mitigating cybersecurity threats and appropriately responding to cybersecurity incidents if and when they occur.
Cybersecurity Risk Management and Strategy
Our ERM program is designed to identify the top risks applicable to us and document risk mitigation plans and initiatives by management. We have identified, and we expect to continue to identify, cybersecurity threats as among the top risks that we
28
face. As one of the critical elements of our overall ERM approach, our information security program is focused on the following key areas:
•Governance: As discussed in more detail below under “Cybersecurity Governance,” the Board’s oversight of cybersecurity risk management is supported primarily by the Audit Committee of the Board (the “Audit Committee”) and our Information and Privacy Risk Committee (“IPRC”), which is the key management-level governance body that oversees management of cybersecurity threat and data privacy risks.
•Cross-Functional Approach: Through the IPRC, we have implemented a cross-functional approach to managing cybersecurity threats and incidents, while also implementing controls and procedures that provide for the escalation of significant cybersecurity incidents, either in the form of a single unauthorized occurrence or a series of unauthorized occurrences, so that decisions regarding the public disclosure and reporting of such incidents can be made by appropriate members of management in a timely manner.
•Threat Assessment: We engage in an annual cybersecurity-focused risk assessment process, which helps identify our cybersecurity risks by comparing our processes to standards set by the NIST and by engaging third-party experts to attempt to infiltrate our information systems.
•Technical Safeguards: While no system is impenetrable, we deploy sophisticated technical safeguards that are intended to provide multiple layers of security designed to identify cybersecurity threats and protect our information systems from such threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which we evaluate and seek to improve through vulnerability assessments and cybersecurity threat intelligence. We leverage both internal and third-party resources to implement and monitor our technical security controls and perform threat and vulnerability assessments. Assessment results feed an iterative process intended to improve our cybersecurity posture and address the constantly evolving threat landscape on an on-going basis.
•Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
•Education and Awareness: We provide training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, processes and practices.
•Incident Response and Recovery Planning: We have established and maintain incident response and recovery plans for critical systems, applications and business functions that address our response to a cybersecurity incident, and such plans are tested and evaluated on a periodic basis.
We describe whether and how risks from identified cybersecurity threats, including as a result of previous incidents, may materially affect, or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Failure to maintain the integrity of internal or customer data or to protect our systems from cyber-attacks could disrupt our business, damage our reputation, and subject us to significant costs, fines or lawsuits” included as part of our risk factor disclosures included in Part I, Item 1A of this Annual Report filed on Form 10-K.
Cybersecurity Governance
The Board, primarily through the Audit Committee, provides oversight of our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee receives regular, quarterly presentations and reports from our Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”) on cybersecurity risks and management’s mitigation activities, which address a wide range of topics including our cybersecurity risk profile, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment and significant newly identified risks, technological trends, and information security considerations arising with respect to our industry peers and third parties. In addition, the CTO and CISO provide the Audit Committee with timely information regarding significant cybersecurity incidents, as applicable. During 2023, the Audit Committee also held an informational meeting with an external advisor regarding the cybersecurity landscape.
The IPRC is the management-level governance body that oversees our management of cybersecurity threats and data privacy risks and supports the strategic goals of our information security programs. The IPRC also oversees the appropriate remediation and response to cybersecurity incidents in accordance with applicable legal and regulatory requirements as well as our Information Security Incident Response Plan. The executive sponsors of the IPRC are our Chief Financial Officer, Chief Operations Officer, Wyndham Destinations, the CTO, and General Counsel and Corporate Secretary. The IPRC members include our CISO, the senior legal officer in the privacy function, the business segments general counsel, the Chief Accounting Officer, and the Managing Director RCI North America & Global Marketing and Operations. The CISO leads a team of
29
information security professionals in the day-to-day execution of our information security program, which is discussed in more detail above under the heading “Cybersecurity Risk Management and Strategy.”
The CISO has served in various roles in information security and information technology for over 20 years for global travel, hospitality, casino, and energy companies along with consulting for both the U.S. Department of Defense and intelligence community. He holds an undergraduate degree in computer information systems, a master’s degree in business administration, and has attained the Certified Information Systems Security Professional certification. The CTO holds an undergraduate degree in computer science and a master’s degree in business administration, and has served in various roles in information technology for over 30 years for global travel, hospitality, and finance companies, including serving as either the Chief Technology Officer or Chief Information Officer of Qatar Airways Group and MGM Resorts International.