Caesars Entertainment, Inc. - (CZR)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Risk management and strategy
We maintain a cybersecurity team responsible for the development and implementation of a program intended to protect the confidentiality, integrity and availability of our critical systems and information. A component of our program is a cybersecurity Incident Response Plan (“IRP”) which has been built by the team utilizing current and historical industry knowledge and experience.
Key elements of our risk management procedures and processes include:
•risk assessments to help mitigate material cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment;
•a team comprised of IT security, IT infrastructure, and IT compliance personnel principally responsible for directing (1) our cybersecurity risk assessment processes, (2) our security processes, and (3) our response to cybersecurity incidents;
•the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•formal information security training program for all team members as well as supplemental training on specific matters such as phishing and email security best practices;
•a cybersecurity incident response plan and Security Operations Center (SOC) to respond to cybersecurity incidents;
•attack and response simulations at the technical level and execute tabletop response exercises at the management level;
•a third-party risk management process for service providers; and
•cybersecurity insurance to cover certain expenses in the event of a cybersecurity incident.
The cybersecurity team reports to the Chief Information Officer and in January 2024, we hired a Chief Information Security Officer (“CISO”) with significant experience in leading cybersecurity teams to assume the leadership of management’s responsibilities and governance discussed below.
29
We evaluate our cybersecurity risk management processes and continue to integrate our procedures into our overall enterprise risk management program, which shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Incidents are investigated by the cybersecurity team as they are identified and may be resolved or escalated based upon the specific details and severity of each incident. Incidents are evaluated throughout the investigation and remediation processes and incidents determined to be insignificant may be resolved by the cybersecurity team without further escalation at that time. Incidents determined to be more severe, such as those that may have compromised the confidentiality, integrity and availability of our critical systems and information, are escalated by the cybersecurity team to notify legal counsel, our Cybersecurity & Privacy Executive Steering Committee, our Board of Directors, or various regulators, as required.
Our cybersecurity team evaluates the risk profile of new third party service providers and maintains communication channels with key third party service providers to evaluate and respond to possible effects of incidents within a service provider’s organization. We rely on, and in certain cases require, our third parties to communicate such incidents timely.
As previously disclosed, on September 14, 2023, we announced that an unauthorized actor had gained access to our information technology network as a result of a social engineering attack on an outsourced IT support vendor used by the Company, and acquired a copy of, among other data, our loyalty program database (“Data Incident”). After detecting suspicious activity in our information technology network, we activated our IRP, which included containment measures, and commenced an investigation of the incident. We also notified law enforcement and state gaming regulators, engaged legal counsel and other third-party incident response and cybersecurity professionals, as well as forensic professionals.
We have received, and continue to pursue, reimbursements from insurance carriers for costs incurred as a result of the Data Incident. Based on our assessment, the incident has not had a material impact, and we do not believe the incident has materially affected or will materially affect us, including our operations, business strategy, results of operations, or financial condition.
As a result of the Data Incident, numerous putative class action lawsuits have been filed against us purporting to represent various classes of persons whose personal information was affected by the Data Incident. These class actions assert a variety of common law and statutory claims based on allegations that we failed to use reasonable security procedures and practices to safeguard customers’ personal information, and seek monetary and statutory damages, injunctive relief and other related relief. In addition to those putative class action lawsuits, individual claims have been filed or threatened against us as well.
We have also received inquiries from numerous state regulators related to the Data Incident. We are responding to these inquiries and cooperating fully with regulators. See Note 11 for further discussion.
We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Governance
Our Board considers cybersecurity risk as critical to the enterprise and is responsible for reviewing our cybersecurity risk profile, including management’s design, implementation and enforcement of our cybersecurity risk management program. The Board of Directors receives periodic updates from our Chief Information Officer (“CIO”) on cybersecurity risks and threats. Board members also receive periodic presentations on cybersecurity topics from our CIO, supported by our internal security staff, or external experts as part of the Board’s continuing education on topics that impact public companies.
The Board has determined that retaining responsibility for risks related to cybersecurity oversight is appropriate, given the complexity of the risks associated with cybersecurity and the attention required to appropriately review and monitor such risks. The full Board lends its collective experience and attention to discussing and overseeing potential risks identified by management and stays up to date on management’s risk-mitigation processes related to cybersecurity.
Our CIO supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the IT environment.
Our CIO is responsible for assessing and managing our material risks from cybersecurity threats. Our CIO has the primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CIO has significant global experience in managing and leading IT and cybersecurity teams. Members of the cybersecurity team hold various credentials and certificates with respect to information systems and they participate in continuing education.
30