TripAdvisor, Inc. - (TRIP)
10-K Filing Date: February 16, 2024
In an era marked by rapid technological evolution, the business landscape is increasingly data-driven. Companies, including ours, collect, store, and leverage data to glean valuable insights about our members and travel trends; deliver relevant content to our members, suppliers, and business partners and enhance operational efficiency. This collection and leverage of data exposes us to potential cybersecurity threats. As a result, we have implemented a cybersecurity risk management framework that is designed to identify, assess, and mitigate risks from cybersecurity threats related to this data and systems and our business operations.
Risk Management Oversight and Governance
The Board of Directors is responsible for overseeing risks related to cybersecurity and has delegated to the Audit Committee oversight over cybersecurity risks. The Audit Committee is responsible for reviewing and discussing with management the processes to identify, assess and manage cybersecurity threats, as well as to identify, assess and, to the extent required, disclose material cybersecurity threats.
Management is responsible for the day-to-day risk management process, including the identification of risks and implementation of policies and procedures designed to manage, mitigate or monitor cyber risks. In support of these responsibilities, management has designated a Chief Compliance Officer and formed a Compliance Committee to implement, manage and oversee a corporate compliance program.
The Compliance Committee is responsible for understanding the global risk landscape of the company and for working to ensure that we have a compliance program in place designed to mitigate, manage and/or monitor risks. The Compliance Committee consists of, among others, our Chief Financial Officer (“CFO”), Chief Legal Officer (“CLO”) and Chief Compliance Officer (“CCO”). The CCO has established an Information Governance and Privacy Committee responsible for oversight of privacy and cybersecurity risks. The Information Governance and Privacy Committee consists of our Chief Information Security Officer (“CISO”) and CCO, as well as representatives from engineering, product development and data privacy. The Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats.
Our CISO reports to our CCO. The CCO reports to the Compliance Committee and the CLO. The CFO and CLO report directly to the company’s Chief Executive Officer. Each of the CFO, CLO, CCO and CISO report regularly to our Board of Directors on, among other matters, our global risk landscape and risk management efforts, including those related to cybersecurity risks.
Our CISO has primary responsibility for managing our cybersecurity threat management program. The CISO is a Certified Information Security Systems Professional (CISSP), with more than 15 years of experience in building and leading information security teams and has worked at a variety of companies to implement and manage cybersecurity programs. Those entities have included large, publicly-traded companies. His experience includes developing and maintaining tools and processes to protect internal networks, customer payment systems and telecommunications networks used by customers to transmit data.
Our CISO leads an Information Security team that meets regularly. The CISO updates the executive management team on cybersecurity developments.
Our CISO meets at least annually with each of the Compliance Committee and the Audit Committee to discuss cybersecurity threats and the risk management programs. The CISO provides information, as appropriate, about the sources and nature of risks the Company faces and how management assesses such risks. Our CISO also provides a quarterly report to the Audit Committee on trends and observations concerning cyber threats and actions being taken to mitigate those risks. The Chair of the Audit Committee reports quarterly to the full Board of Directors and that report includes a summary of the CISO’s report.
28
Processes for the Identification of Risks from Cybersecurity Threats
The Compliance Committee, working with the CISO and the Information Security team, has developed a cybersecurity risk management program that aims to address the following key areas:
The Company’s risk assessment and mitigation program is centered on the following components:
Our Internal Audit team reviews, monitors and audits various aspects of the Company’s enterprise risk management program to evaluate whether risks, including cybersecurity risks, are appropriately identified and managed. Internal Audit periodically reports to the Audit Committee on the Company’s cybersecurity risk mitigation efforts. The Audit Committee Chair, in turn, reports to the full Board of Directors.
We have several employee training and development programs that are designed to, among others, raise awareness of cybersecurity risks impacting the business to encourage consideration and facilitate managing those risks. To assess the effectiveness of our program, we periodically conduct penetration testing and other vulnerability analyses. As part of the assessment of the protections we have in place to mitigate risks, we engage third parties to conduct risk assessments on our systems.
Before purchasing third-party technology or other solutions and partnerships that involve exposure to the Company’s assets and electronic information, our Information Security and Privacy team undertake due diligence to assess any key data privacy or information security risks.
For additional information about the cybersecurity risks, see “Risk Factors” under the section entitled "Risks Related to Information Security, Cybersecurity and Data Privacy" in Part I, Item 1A of this Annual Report on Form 10-K.