Expedia Group, Inc. - (EXPE)
10-K Filing Date: February 08, 2024
Part I. Item 1C. Cybersecurity
The Company’s Board of Directors (the “Board”) recognizes that safeguarding the Company’s data, information systems, and technology assets is critical to maintaining the trust and confidence of the Company’s travelers, business partners and employees. The Board actively exercises oversight of the Company’s technological infrastructure, information security and its cybersecurity, which are key components of the Company’s risk management program. The Company’s cybersecurity policies, standards, processes and programs are integrated into its risk management program and are based on industry standard frameworks established by the National Institute of Standards and Technology ("NIST") and the International Organization for Standardization, among others, as well as on evolving best practices.
Cybersecurity Risk Management and Strategy
The Company’s cybersecurity risk management program is composed of the following key elements:
•Governance. As discussed in more detail under the heading “Cybersecurity Governance” below, as part of its general oversight duties, the Board oversees the Company’s risk management, including its cybersecurity risks. The Board is supported in its oversight of cybersecurity risks by the Audit Committee, which regularly interacts with the Company’s risk management function, the Company’s Chief Security Officer (“CSO”) and the Company’s Chief Technology Officer (“CTO”).
•Risk Assessment and Management. The Company’s cybersecurity risk management program is based on industry standard information security principles and best practices, specifically the NIST Cybersecurity Framework and the Payment Card Industry Data Security Standard ("PCI DSS"). The program encompasses all Company directly-managed brands, entities, and internal organizations other than its publicly-traded trivago subsidiary, which has its own standalone cybersecurity risk management program, and uses a proactive approach to regularly identify and assess cybersecurity threats, vulnerabilities and risks, and to evaluate the effectiveness of implemented security controls through internal audits, external threat intelligence, and periodic external independent assessments. Risks identified and assessed through the cybersecurity risk management program are then communicated to the Company’s senior leadership team and used to prioritize risks based on their potential impact and likelihood as part of the Company’s dynamic risk response strategy.
•Technical Safeguards and Incident Response. The Company classifies its electronic data and information systems based on the sensitivity and criticality of the data involved and deploys commensurate technical safeguards, including but not limited to firewalls, encryption, network segmentation, real-time monitoring, intrusion prevention systems, anti-malware, and access controls. The Company’s cybersecurity incident response plan, modeled on NIST 800-61, is built on a comprehensive framework which sets forth guidance and procedures required for the life cycle of an incident. The plan establishes processes for use by a cross-functional cybersecurity incident response team with the resources necessary to take action in a timely and decisive manner during the response, investigation, and remediation of an incident, and to comply with legal obligations. The Company tests, trains, and evaluates its incident response capabilities on at least an annual basis and updates its incident response plan accordingly. The Company also maintains insurance coverage for cybersecurity incidents.
•Third-Party Risk Management. The Company’s external service provider management program requires all third-party service providers to comply with the Company’s security standards, including notification procedures in the event of an incident involving Company confidential information. The Company requires its service providers to ensure that their own third-party vendors and subcontractors comply with the Company’s security standards when working with Company information. In addition, the Company performs diligence on external service providers and their vendors that have access to the Company's information and/or information systems, and conducts ongoing monitoring throughout the life of the relationship, including re-assessments in light of any significant changes to the provider’s security controls or technical landscape.
•Education and Awareness. The Company’s mandatory annual cybersecurity employee training program covers critical aspects of digital security, including phishing prevention, threat awareness and safe data handling practices. The annual training program is regularly refreshed based on the evolving security landscape and secure code development. It is also supplemented by awareness initiatives to keep Company personnel updated on cybersecurity threats and the latest security policies and instill a culture of security mindfulness across the organization.
•Continuous Review. The Company regularly reviews its cybersecurity policies, standards, and programs and evaluates the effectiveness of implemented security controls. In addition to performing internal audits, assessments, tabletop exercises, and vulnerability testing, the Company periodically engages third parties to perform information security
24
maturity assessments, audits, cyber breach root cause analysis, and independent reviews of its information security control environment and operating effectiveness. The Company’s CSO provides regular reports on the results of such assessments to the Audit Committee and the Company’s senior leadership team, and the Company adjusts its cybersecurity policies, standards, and programs as necessary based on these reviews.
To date, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially adversely affected, or are reasonably likely to materially adversely affect, the Company, including its business strategy, results of operations or financial condition. Although the Company’s cybersecurity risk management program, as described above, is designed to help prevent, detect, respond to, and mitigate the impact of cybersecurity incidents, there is no guarantee that a future cybersecurity incident would not materially adversely affect the Company's business strategy, results of operations or financial condition. For information regarding cybersecurity risks that the Company faces and potential impacts on its business related thereto, see the disclosure set forth in Part I, Item 1A, Risk Factors, under the caption “System interruption, security breaches and unplanned outages in our information systems may harm our businesses.”
Cybersecurity Governance
The Board, in coordination with the Audit Committee, oversees the Company’s risk management program, which includes risks arising from cybersecurity threats. The Audit Committee regularly receives presentations and reports from both Company management and third-parties, as appropriate, that address a wide range of topics related to cybersecurity risks, including evolving standards, third-party and independent reviews, threat environment updates, technology trends and information security considerations arising with respect to the Company’s peers and partners. The Company’s CSO and/or the Company’s CTO regularly meet with the Audit Committee (and, where appropriate, the full Board) to discuss technology, information security and cybersecurity programs, progress updates on the Company's key cybersecurity initiatives and related priorities and controls. At least annually, the Audit Committee and the full Board receive a comprehensive written report covering the Company's cybersecurity program and associated risks, and any changes made to the program since the previous report. Additionally, the Audit Committee is promptly apprised of any cybersecurity incident that meets established reporting thresholds, and receives ongoing updates regarding any such incident until it has been resolved. At each regularly scheduled Board meeting, the Audit Committee Chair provides the full Board with an update on all significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled Board meeting.
The Company’s CSO, in coordination with the Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), CTO, and Chief Legal Officer (“CLO”), works collaboratively across the Company to implement and monitor a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s cybersecurity incident response plan and its security policy. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CSO, the CTO and other executive leadership team members are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report risks from cybersecurity threats and cybersecurity incidents to the Audit Committee when appropriate.
The CSO has extensive cybersecurity experience, having served in various roles in information technology and information security for over two decades. Before joining the Company, he served as the Chief Cybersecurity Officer of the U.S. division of a large, multinational company. Additionally, the CSO has played an active role in shaping public cybersecurity policy and standards. The CSO holds a Bachelor of Science in Computer Science and is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor. The Company’s CTO holds an undergraduate degree in electrical engineering and a master’s degree in computer engineering, and has held senior technology roles for over 25 years, including serving as either the CTO or Chief Information Officer of four public companies. The Company’s CEO, CFO and CLO each hold undergraduate and graduate degrees in their respective fields, and each have extensive experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.