WYNDHAM HOTELS & RESORTS, INC. - (WH)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity.
Our cybersecurity program incorporates a robust process for the assessment, identification, and management of material risks from cybersecurity threats. This begins with our threat intelligence program that integrates several methods to identify potential threats to the Company, including paid/unpaid threat feeds, custom threat alerts, keeping abreast of the latest threats to the technologies that exist within our information systems and daily dialogue with industry peers to the threats to the hospitality industry as a whole.
Information regarding these threats is then built into our security tools. This takes the form of hardening systems through vulnerability identification and patching, as well as enabling early detection and response capabilities across our network and endpoints. Any detected threat or potential cybersecurity incident is handled by our hybrid Security Operations Center, or “SOC” which utilizes both internal and external resources for monitoring 24/7 and is responsible for triaging and appropriately handling or escalating the potential incident.
22
Other than the incidents that occurred prior to the Spin-Off, described in more detail in “Item 1A. Risk Factors—Failure to maintain the security of personally identifiable and proprietary information, non-compliance with our contractual obligations regarding such information or a violation of our privacy and security policies or processes with respect to such information could adversely affect us” as of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operation, or financial condition. There is no guarantee that such risks will not evolve in the future and materially adversely affect the Company or that our processes to manage cybersecurity risks, including those described here, will operate effectively and as designed.
Board & Management Cybersecurity Risk Oversight
We incorporate all of the Company’s cybersecurity processes and assessments into our overall enterprise risk program. This allows us to develop a complete consolidated view of our risk factors across our cybersecurity, information technology, and business functions. As part of the Company’s enterprise risk program, the Information Risk Committee (“IRC”) is responsible for developing and coordinating the Company’s cybersecurity policy and strategy, and for managing the prevention, detection, mitigation and remediation of cybersecurity incidents. The IRC is chaired by the Chief Information Security Officer (“CISO”) and the Senior Vice President – Legal (“SVP – Legal)” responsible for Privacy and Compliance Issues, with the Chief Financial Officer, Chief Information and Distribution Officer, and the General Counsel and Chief Compliance Officer as members. The IRC meets regularly to review operations of the Company’s cybersecurity programs and processes, and to discuss emerging legal, technical, or other risks. The Audit Committee of the Board is the Board-level committee with oversight of privacy and security matters. The IRC updates the Audit Committee quarterly to provide risk updates and general education on privacy and information risk trends. The Board is made aware promptly of any cybersecurity incidents that are deemed critical or that could potentially have an impact on the business. The Board also receives periodic privacy and security awareness training from third-party subject matter experts.
Our CISO has been with Wyndham since 2012, and has worked in the cybersecurity industry for 19 years. Prior to his time at Wyndham, as a forensic investigator, he performed cyber investigations in both civil and criminal matters and has worked closely with various industries to educate and provide guidance on cybersecurity best practices. The SVP – Legal has been with the Company since 2010, and has served in his current role since 2019. The SVP – Legal leads the legal team responsible for, among other things, corporate secretary matters, SEC reporting, privacy, compliance and legal operations. The SVP – Legal has several years of experience managing risks related to the Company’s operations, including data privacy. The IRC also includes our Chief Information and Distribution Officer, Chief Compliance Officer and Chief Financial Officer, each whom has over 15 years of business and senior leadership experience managing risks in their respective fields, collectively covering aspects of cybersecurity, technology strategy, capital allocation and compliance.
Cybersecurity Incident Response Plan
We have established a Cybersecurity Incident Response Plan (“CIRP”), which details the steps to be followed to properly respond to, contain, and remediate a cybersecurity incident. Within this plan, there are also engagement processes for our external cybersecurity incident response firm, which also assists Wyndham’s cybersecurity team by annually testing the CIRP through custom tabletop exercises. The CIRP provides a process for escalating certain cybersecurity incidents to the IRC and to other members of management to facilitate management-level consideration as to whether a cybersecurity incident may be material to the Company and whether public disclosure of the incident is required.
Information Security Program
Access to our information systems is managed through our Identity and Access Management process, which governs the appropriate level of access for each user on an ongoing basis. Wyndham performs a certification process bi-annually to ensure the accuracy and completeness of each user’s access.
Tracking and measuring of the above certification processes takes place within our Information Security Program. This program reports on the risks and remediation progress across our information systems, as well as measures them against our own standards and processes, which have been developed in part using the National Institute of Standards and Technology Cybersecurity Framework 2.0. The Information Security Program also measures the overall cybersecurity program against other key regulatory standards such as the Payment Card Industry standard known as PCI 4.0 and the Sarbanes-Oxley Act of 2002.
23
Third Party Risk Program
The Company’s third-party risk program includes a process for assessing and overseeing the risk profile of third parties we do business with at the time of contract execution and also in the event that the scope of the work done with any third party materially changes.
Our teams conduct vendor risk assessments of third-party suppliers that may receive access to personal data or connectivity to Wyndham’s systems, for which such vendor risk assessments include information security control assessments and privacy impact assessments, regardless of the sensitivity of personal data potentially involved. The teams conduct similar internal assessments should any process potentially result in a significant change to the Company’s data processing practices concerning sensitive data, or have a potentially material impact on individuals’ data and respective rights.
The data from the threat intelligence program mentioned above also feeds into a third-party risk evaluation to ensure that any impactful event (cyber or otherwise) experienced by a third-party doing business with Wyndham is considered in the risk profile of that organization.
Cybersecurity Insurance
To help mitigate the financial risks associated with any cyber security incidents, Wyndham Hotels also maintains cyber insurance that is renewed annually and covers both cyber events and business interruption. We closely monitor costs of breaches within the industry in an effort to ensure that our coverage is sufficient to address all reasonably foreseeable threats and levels of risk.