MARRIOTT INTERNATIONAL INC /MD/ - (MAR)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We manage risks from cybersecurity threats through our overall enterprise risk management process, which is overseen by our Board. Management has created a global information security program, which encompasses a dedicated global information security team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. Marriott’s policies, procedures, and processes follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization, as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of the data that is created, collected, stored, and used to operate our business.
We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, vulnerability scans, penetration tests, and engagement of third parties to conduct analyses of our information security program. We obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. We also maintain a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with third party service providers, owners, franchisees, and other companies with whom we do business.
With respect to incident response, we maintain a Global Information Security & Privacy Incident Response Plan (“IRP”), which applies globally to information security incidents involving properties owned, leased, or managed by Marriott, as well as
18
our above-property business locations. Franchisees are responsible for information security at franchised properties and the systems and business processes related to information security that are under their direction and control. Franchisees are required to comply with brand standards relating to information security, which include an obligation to report information security incidents to us.
Our IRP sets out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the NIST framework and focuses on four phases: (i) preparation; (ii) detection and analysis; (iii) containment, eradication, and recovery; and (iv) post-incident remediation.
We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. See the discussion about the Starwood Data Security Incident under the “Litigation, Claims, and Government Investigations” caption in Note 7 of our financial statements, the discussion of the same in Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and the discussion of cybersecurity risk in Part I, Item 1A, “Risk Factors.”
Governance
Our Board has established a Technology and Information Security Oversight Committee (“TISOC”) to assist the Board in providing oversight of matters pertaining to technology, information security, and privacy, including risks from cybersecurity threats; management’s efforts to monitor and mitigate those risks; and significant cybersecurity incidents. The TISOC meets at least four times a year and typically receives quarterly reports from our Chief Information Security Officer (“CISO”) and other members of management. Risks from cybersecurity threats are also discussed with the full Board as part of regular legal updates and management presentations, the Board’s oversight of enterprise risk management, and periodic education sessions. The Board’s Audit Committee also receives reports regarding information security and technology-related audits conducted by our internal audit department.
To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board and to the TISOC, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security and data privacy programs; oversee the implementation of our information security and data privacy risk management strategy; and identify, consider, and escalate information security and data privacy issues that may arise in our business.
Our global information security team led by our CISO works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our global information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally.
Our CISO and other members of senior management responsible for our information security program have extensive experience assessing and managing risks from cybersecurity threats, including decades of experience in information technology and information security positions; serving in information technology leadership positions at other large public companies; and having other significant experience in the areas of risk management, information technology, and information security. Our CISO has more than 26 years of experience in information technology and/or information security, including more than 12 years in such positions in the hospitality industry.