Sabre Corp - (SABR)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. We maintain a dedicated cybersecurity risk management function, which is integrated as part of our overall enterprise risk management program. Our key cybersecurity risks include, among others, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; remote working environments; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage these risks.
To identify and assess material risks from cybersecurity threats, members of our cybersecurity risk management function, which is led by our Chief Information Security Officer ("CISO"), consider cybersecurity threats within the context of our business environment. Cybersecurity risks are managed through technological, process, and administrative controls that are designed to target the mitigation of risk to levels acceptable to the business. Risk assessment and management include processes for managing third-party cybersecurity risk. These processes provide that third-party cybersecurity risk assessments are to be performed prior to a vendor’s engagement, upon contract renewal, and as we may otherwise require. Our formal cybersecurity policy program, which includes a collection of security policies and procedures, is in place to establish requirements, standards, and security controls designed to protect Sabre's technology environment.
We employ information technology and cybersecurity technologies that are designed to protect Sabre's technology environment, detect threats, respond to threats and help support operational resilience. These technologies facilitate the identification of threats and vulnerabilities that may exist in the Sabre technology environment. Protective measures are employed to counter threats and mitigate risk, supporting operational resilience of our technology products. These tools include cloud security posture management, workload protection, endpoint detection and response, network firewalls and intrusion detection systems, identity and access management tools, data protection technologies and logging, monitoring, and alerting tools. Accompanying these tools are various processes such as security education and awareness training, security maturity assessments, vulnerability assessments, threat intelligence and hunting, penetration testing, and tabletop exercises to inform our professionals’ risk identification and assessment. We practice data protection techniques and processes that are designed to treat our customer data with care. We also utilize third-parties, consultants, and auditors to regularly assess our security program. These assessments include periodic security maturity assessments in which third-parties assess security program
19


maturity against established standards and industry benchmarks. We also annually engage a Qualified Security Assessor to conduct payment card industry certification on all applicable products and solutions.
Our cybersecurity incident response plan describes the activities we take to identify, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to provide appropriate reporting and escalation. The program includes appropriate activities to escalate potentially material security incidents to our disclosure committee for review.
Based on the information we have as of the date of this Annual Report with respect to the periods beginning with those covered by this Annual Report, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We, like most technology companies, are the target of cybercriminals who attempt to compromise our systems. We describe risks relating to cybersecurity threats, including as a result of previous cybersecurity incidents in “Item 1A. Risk Factors” in this Annual Report on Form 10-K, under the headings “Our success depends on maintaining the integrity of our systems and infrastructure, which may suffer from failures, capacity constraints, business interruptions and forces outside our control.” and “Security incidents expose us to liability and could damage our reputation and our business.”
Cybersecurity Governance
The Audit Committee of our Board of Directors has oversight authority to review our plans to mitigate cybersecurity risk. At least quarterly, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards risk-management-related goals, our incident response plan, and potentially material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to these risks. In such sessions, the Audit Committee generally receives materials including a cybersecurity risk profile scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the company’s ability to mitigate those risks, and discusses such matters with our Chief Information Officer, our CISO, and our Data Privacy Officer. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Cybersecurity risks are also considered during separate Audit Committee, Technology Committee and Board of Directors meeting discussions of matters such as enterprise risk management, the annual planning process, our technology transformation, corporate development activity, and other relevant matters.
We also maintain a Cybersecurity Governance Committee, led by our CISO and comprised of senior cross-functional leaders including product, development, operational, and corporate business leaders. The committee oversees our cybersecurity risk management and strategy processes, which are discussed above. Our CISO has over 25 years of prior work experience in various roles involving managing cybersecurity risk, developing cybersecurity strategy, implementing effective information and cybersecurity programs and leading information technology and cybersecurity teams. He graduated with a Bachelor of Science and Master of Science Degree in Electrical Engineering as well as three additional master’s degrees, including a Master of Business Administration, and he is a Certified Information Systems Security Professional (ISC2) as well as a Certified Chief Information Security Officer (EC Council).
Members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, the Audit Committee has oversight authority and receives reports regarding cybersecurity threat risks, as well as other cybersecurity related matters, on at least a quarterly basis.