LAS VEGAS SANDS CORP - (LVS)
10-K Filing Date: February 07, 2024
ITEM 1C. — CYBERSECURITY
We, together with our third-party vendors, employ information technology including networks, systems, and applications to support our business processes and decision-making across the Company. Our information technology is connected to support the flow of information across our business processes. As such, our information technology infrastructure is susceptible to cybersecurity threats.
We maintain detailed technology and cybersecurity programs to manage information security risk within the Company. We rely on both proprietary and commercially available systems, software, and tools to protect and monitor the processing, transmission, and storage of company data and both customer and team member information. The objectives of our programs are to:
•protect the confidentiality, integrity, and availability of data,
•protect against anticipated threats,
•protect against unauthorized access to our information technology systems,
•safeguard assets, and
•maintain resiliency and recovery plans regarding Company informational technology.
To meet these objectives and oversee the programs, we employ a Chief Information Security Officer (“CISO”). The CISO has over 27 years of cybersecurity experience, 25 years of cybersecurity leadership experience, an MBA in Information Systems, a Master of Science degree in operational analysis, a bachelor’s degree in operations research and holds a Cyber Risk Oversight Certificate from the National Association of Corporate Directors and is a Certified Information Systems Security Professional (“CISSP”). The CISO works closely with the head of information technology and the data privacy officer to collectively manage our global cybersecurity, information technology and data privacy programs.
Our cybersecurity programs are informed by or aligned to the ISO/IEC 27001 security framework, an internationally recognized standard. As part of our programs, we assess our third-party vendors for relevant risks which may impact the Company.
We also engage third-party providers to perform periodic risk-based assessments of our cybersecurity programs, and also leverage our internal audit department, supported by third-party technical experts, to conduct periodic risk-based audits of our cybersecurity programs.
41
Our Enterprise Risk Management (“ERM”) process, which is governed by an ERM Committee, includes a review of our cybersecurity programs. The ERM Committee, which is led by our executive vice president and chief financial officer, meets regularly, and receives updates from the CISO on emerging risks, recent cyber risk events, and any priority risks relating to cybersecurity. We also have a Cyber & Privacy Steering (“CPS”) Committee, which meets regularly and is comprised of senior management, serving as a multi-disciplinary group for coordinating and overseeing the management of the cybersecurity and privacy programs.
The Audit Committee of the Board of Directors has oversight responsibility for ERM, including the cybersecurity programs. The CISO provides regular updates on cyber security to the Audit Committee, including on the cybersecurity aspects noted by the ERM Committee and CPS Committee, and regularly meets with the Audit Committee in executive session. The presentations highlight the state of our cybersecurity and data security programs, as well as our progress on key initiatives in this area.
To date, the Company has not experienced a cybersecurity threat or incident that has materially affected or is reasonably likely to materially affect the Company. The Company, however, has experienced and expects to continue to experience cyber incidents of varying degrees. See “Item 1A. — Risk Factors — Failure to maintain the integrity of our information and information systems or comply with applicable privacy and cybersecurity requirements and regulations could harm our reputation and adversely affect our business.” for more detailed information on cybersecurity risks and the potential impacts.