Hilton Worldwide Holdings Inc. - (HLT)

10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity

Cybersecurity Governance

Hilton has a dedicated Global Information Security team (collectively, the "GIS team") led by our Chief Information Security Officer ("CISO") that is responsible for identifying, assessing, monitoring, managing and communicating the Company's cybersecurity risks. The GIS team is organized into five functional areas: (i) cloud, network and infrastructure architecture security; (ii) application security; (iii) incident response; (iv) endpoint security and vulnerability management; and (v) governance, risk and compliance ("GRC"). Collectively, the GIS team has decades of dedicated cybersecurity experience with personnel certified in various disciplines, including data privacy, enterprise risk management, cloud security and ethical hacking.

While the full board of directors has overall responsibility for risk oversight, for cyber security matters, it is supported by its Audit Committee, which regularly reports to the full board of directors. The Audit Committee assists the board of directors in monitoring cybersecurity risk by receiving quarterly reports and as needed updates from the Chief Information Officer and the CISO, that cover, among other things, our information security framework, threat assessment, response readiness and training efforts.

Hilton has adopted a Cybersecurity Policy that requires all employees to immediately report a potential cybersecurity incident to the GIS team, and all employees are required to certify their understanding of the Cybersecurity Policy on an annual basis. Our Global Cybersecurity Incident Response Plan ("CIRP") includes the criteria for determining if a cybersecurity incident is considered a qualifying cybersecurity incident ("QCI"), which requires management escalation and review, identifies the first response team and the leadership team responsible for supervising the response and provides guidelines for when and how to communicate such incident to the appropriate members of management and the Audit Committee.

Cybersecurity Strategy and Risk Management

The GIS team leverages several mechanisms to continuously identify and assess cybersecurity risks across the Company and utilizes a GRC platform to monitor identified risks and mitigation and remediation activities. The GIS team uses defined industry accepted risk management and controls frameworks to determine the potential likelihood and impact of each risk. Monitoring activities are designed and executed based on the materiality of the assessed likelihood and magnitude of impact of the risks that are identified. The GIS team, with the assistance of third-party consultants, performs application security reviews, penetration tests and gap assessments against certain cybersecurity frameworks. Management reviews any assessments performed by the third-party consultants and determines the final evaluations and communication plan, which the GIS team executes.

37


In the event of a reported potential cybersecurity incident, a first response team, which includes leaders of the GIS team, other members of management and the legal team, determines without undue delay whether it is a QCI as defined in the CIRP. If an incident is determined to be a QCI, the process included in the CIRP is initiated and such incident is communicated to the designated leadership team, including Hilton's general counsel. Further, appointed leaders collaborate on determining if the incident is material, as well as the resulting response, including any legal and financial reporting obligations of the Company. Information also is provided to additional members of senior management as appropriate. The remediation plan for the QCI is entered within Hilton's GRC platform and monitored and reviewed at least monthly to ensure effective implementation; depending upon the type of incident, additional reporting may be produced and monitored by the GIS team to ensure the effectiveness of the remediation plan. All cybersecurity incidents are tracked within our incident response platform, regardless of the potential materiality of the impact.

We also have a process in place to manage cybersecurity risks associated with third-party service providers. However, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful.

As of the date of this report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. However, as discussed under "Part I—Item 1A. Risk Factors," specifically the risks titled "Failures in, material damage to or interruptions in our information technology systems, software or websites, including as a result of cyber-attacks on our systems or systems operated by third parties that provide operational and technical services to us, costs associated with protecting the integrity and security of personal data and other sensitive information and difficulties in updating our existing software or developing or implementing new software could have a material adverse effect on our business or results of operations" and "Cyber-attacks could have a disruptive effect on our business," the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
38