CEDAR FAIR L P - (FUN)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY.

As described under Item 1A in this Form 10-K, we are subject to risks from cybersecurity threats, including risks relating to maintaining customer and employee data. Cybersecurity is a key focus at multiple levels of our organization, and we have developed policies and procedures to assess, identify and manage risks from cybersecurity threats.

Board of Directors – Enterprise risk management (“ERM”) process: As part of the ERM process, executive management and the Board of Directors regularly review an assessment related to cybersecurity and data protection risks to identify material risk areas, assess our processes to mitigate those risks, and identify process and procedure improvements to alleviate identified risks, including allocating appropriate resources. Cybersecurity and data protection focus areas of ERM include phishing, malware, data breaches, outdated software, staffing levels for key information technology positions, and risks associated with our use of third parties.

Audit Committee of the Board of Directors: The Audit Committee is responsible for discussing the Company’s major information technology risk exposures, including cybersecurity, and the steps management has taken to monitor and control such exposures. The Audit Committee dedicates attention to and provides oversight of certain cybersecurity risks. The Chief Information Officer and Corporate Vice President, IT Infrastructure Operations and Security, meet with the Audit Committee regularly to assess management’s progress on implementing process and procedure improvements related to cybersecurity. The Audit Committee also provides guidance on long-term and short-term cybersecurity strategies.

Executive Management – Technology Governance Committee: The Technology Governance Committee consists of certain members of executive management, including the Chief Accounting Officer, Chief Information Officer, Chief Commercial Officer, Chief Strategy Officer, and Corporate Vice President, IT Infrastructure Operations and Security. This committee evaluates projects involving information technology, including reviewing best practices and change management needs and communicating a company-wide approach. Therefore, the information technology department is aware of system and application implementations prior to execution to facilitate proper application and infrastructure security both during implementation and after implementation. Internal audit is notified of system and application implementations as part of this process as well. The internal audit department works with the information technology department to review information technology projects to ensure key projects are appropriately planned, designed, developed, tested, deployed and maintained, including verifying proper security both during and after implementation.

Information Technology Department: The information technology department consists of employees with extensive cybersecurity experience, including the Chief Information Officer and Corporate Vice President, IT Infrastructure Operations and Security, as well as a team of compliance and security associates. Cybersecurity experience within the information technology department includes prior work experience and bachelor's degrees or higher in technology related fields. In addition to internal resources, we engage a cyber insurance carrier with comprehensive data privacy and security risk management services; a managed security service provider with comprehensive security solutions, including continuous network monitoring, reporting and assistance with investigation; and an information security consulting company that consists of cybersecurity experts and information security practitioners to provide additional cybersecurity support. We also maintain a system of information technology controls and procedures, including controls and procedures related to authentication and access, recovery plans and secured backups of data, the design of applications and selection of packaged software, and testing of significant changes in applications and infrastructure technology. We also provide training to our employees about cybersecurity, perform penetration testing at least annually, perform security incident preparedness activities at least annually, and perform an annual Payment Card Industry (“PCI”) attestation. Third party providers involving information technology are identified as part of our contract review process. System and Organizational Controls (“SOC”) reports are reviewed annually for third party providers. The information technology department continuously monitors for cybersecurity threats in order to detect if a cybersecurity incident has occurred. The department uses endpoint detection and response (“EDR”) and security information and event management (“SIEM”) with the assistance of our managed security service provider and internal analysts to detect and identify threats. Lastly, we follow the National Institute of Standards and Technology ("NIST") Framework, which enables us to compare ourselves against the industry and manage dynamic cybersecurity risks.

If a cybersecurity incident were to occur, including a cybersecurity incident associated with one of our third-party providers, we have developed an incident response plan to align responsibilities throughout the organization to facilitate an efficient and effective response, as well as an appropriate investigation of each incident. The incident response plan is led by executive management, the Chief Information Officer, the Corporate Vice President, IT Infrastructure Operations and Security, and our information technology department and includes a further delegation of incident responsibility to key internal stakeholders, including the legal, investor relations, human resources, and internal audit departments. Upon identification of an incident, each incident is assigned an incident materiality rating based on both quantitative and qualitative considerations. Qualitative considerations include the presence of ransomware, operational degradation or interruption, operational loss, and sensitive or confidential data loss. Based on the severity of each incident, the incident response is escalated. Cybersecurity incidents, regardless of materiality, are investigated by the information technology department led by Corporate Vice President, IT Infrastructure Operations and Security and are communicated to the Chief Executive Officer, Chief Financial Officer, Chief Legal
15

Officer, Chief Information Officer, the Chairman of the Board of Directors and the Chair of the Audit Committee. The entire Board of Directors is notified of material or high risk incidents.

Risks from cybersecurity threats could materially affect our business strategy, results of operations or financial condition as described under Item 1A in this Form 10-K. There are no known risks from cybersecurity incidents that have materially affected or are reasonably likely to materially affect the registrant as of the date of this filing.