CHOICE HOTELS INTERNATIONAL INC /DE - (CHH)
10-K Filing Date: February 20, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
Cybersecurity is an important element of the Company’s overall enterprise risk management program. The Company has a multilayered system for assessing, identifying, and managing cybersecurity risks, designed to help protect the Company’s information assets and operations from internal and external cyber threats by understanding and seeking to manage risk while helping to support business resiliency and seeking to protect employee, guest, and franchisee information from unauthorized access or attack, as well as seeking to secure the Company’s networks, systems, devices, products, and services. Cybersecurity is incorporated into the Company’s enterprise risk management program through membership within and regular reporting to the Compliance and Enterprise Risk Management Committee.
The Company devotes significant resources to helping protect and evolve the security of its computer systems, software, networks, and other technology assets, and the Company’s cybersecurity risk management program includes physical, administrative, and technical safeguards. The Company’s cybersecurity policies, standards, and procedures include data breach response plans, which are reviewed regularly. The Company is in the process of assessing its cybersecurity program and safeguards against the National Institute of Standards of Technology Cybersecurity Framework (the “Framework”). The Company's cyber incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes intended to triage, assess the severity of, escalate, contain, investigate, and remediate incidents, as well as to comply with applicable legal obligations.
The Company endeavors to continually refine its policies and practices to help protect its platform, adapt to changes in regulations, identify potential and emerging security risks, and develop mitigations for those risks. For example, the Company seeks to conduct incident simulations and assessments annually to help discover potential vulnerabilities, with the objective of improving decision-making and prioritization and promoting monitoring and reporting across compliance functions. As part of its overall risk mitigation strategy, the Company also maintains cyber insurance coverage.
The Company engages external parties, including consultants, computer security firms, and risk management and governance experts, as part of its cybersecurity program. For example, the Company’s independent assessor provides a periodic assessment of the Company’s risk posture to help identify threats as well as opportunities to enhance safeguards. Annually, the Company’s adherence to the Payment Card Industry Data Security Standard is assessed by an external party which includes one or more penetration tests of the Company’s technological environment. The Company has engaged an independent security assessor to evaluate the Company’s cybersecurity program against the Framework. Additionally, the cybersecurity program is subject to regular assessment by internal audit and the Company's external auditors. The Company participates in the Retail & Hospitality
42
Information Sharing and Analysis Center (“RH-ISAC”) where peer companies are engaged on industry trends and emerging threats, including those relating to cybersecurity.
To help oversee and identify risks from cybersecurity threats associated with the Company’s use of third-party service providers, the Company has a third-party information risk management program intended to minimize the likelihood of misuse of Choice data by third parties and business partners and requires that third-party service providers complete a periodic security risk assessment. Depending upon the identified risk, actions such as obligating the third party to remediate the identified deficiencies or termination of the relationship may occur. Also, depending upon the nature of the relationship and data, third party agreements include security and privacy provisions that oblige third parties to abide with applicable regulations and employ reasonable security controls.
The Company’s Board of Directors does not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect the Company or its business strategy, financial condition, results of operations, or cash flows.
Governance and Oversight
The Audit Committee of the Company’s Board of Directors maintains oversight over cybersecurity risk, in coordination with the full Board of Directors. The Board of Directors and the Audit Committee receive and provide feedback on quarterly updates from management regarding cybersecurity, including highlights of recent incidents throughout the industry and the emerging threat landscape, as well as the prompt notice of any cybersecurity threats or incidents with the potential to significantly impact the Company, including its financial condition, results of operations, and cash flows, and regular updates about incidents with a lesser impact. Cybersecurity updates are rotated quarterly between the Board of Directors and the Audit Committee. The reports generally focus on items such as risk reduction efforts, emerging and existing threats, training initiatives, the status of projects to strengthen cybersecurity, emerging regulatory policies and regulations, cybersecurity technologies and best practices, cyber readiness, results of third-party assessments, mitigation efforts, and response plans.
The Company has a Chief Information Security Officer (“CISO”) whose team is responsible for leading company-wide cybersecurity strategy, policy, standards, and processes and works across all of the units of the Company to help protect the Company and its employees against cybersecurity risks. The CISO has significant cybersecurity expertise, including prior cybersecurity leadership in banking and insurance organizations. The CISO holds a Master of Business Administration, as well as Certified Information Systems Security Professional, Certified Information Systems Auditor, and Certified Information Security Manager cybersecurity-related certifications. The CISO also serves as a Director for the RH-ISAC.
The Company has also established a cross-functional cybersecurity oversight committee led by our CISO serving as the chair and consisting of executive-level leaders, that is responsible for the Company’s cybersecurity, disaster recovery, and business continuity programs. The Company’s internal audit team also provides independent assurance on the functional components of the Company’s cybersecurity program and reports the results of these audits in its quarterly reports to the Audit Committee.
In an effort to prevent and detect cyber threats, the Company annually provides all employees, including part-time and temporary, with cybersecurity and privacy training, which covers timely and relevant topics, including social engineering, phishing, password protection, data protection, physical security, and educates employees on the importance of reporting all incidents immediately.