TAKE TWO INTERACTIVE SOFTWARE INC - (TTWO)
10-K Filing Date: May 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Our business operations depend on the availability, integrity and secure processing, storage, and transmission of confidential and sensitive information, including personal information, digitally and through interconnected systems, including those of our vendors, service providers and other third parties on which we rely. Consequently, we maintain a formal information security program, including physical, technical and administrative safeguards, to prevent and mitigate the risks posed by cybersecurity threats and incidents and to identify, analyze, address, mitigate and remediate those incidents that do occur. As part of our program:
a.we regularly review and update at least annually our standard policies and procedures related to information technology and analyze those policies against the standards and controls that we believe are most relevant to our Company set by organizations such as the National Institute of Standards and Technology (NIST) cybersecurity framework and the International Organization for Standardization (ISO);
33
b.we maintain a dedicated cybersecurity team under the direction of our Chief Technology Officer (CTO) and supported by our Chief Information Security Officer (CISO), each of whom has expertise related to data and network security, data governance and risk management;
c.we regularly test our internal IT controls;
d.we regularly conduct internal vulnerability assessments as well as third-party penetration tests;
e.we maintain, and we require our third-party service providers to maintain, security controls designed to ensure the confidentiality, integrity, and availability of our information systems and the confidential and sensitive information we maintain and process, or which is processed on our behalf;
f.we conduct pre-engagement and recurring reviews of the security controls and security-compliance posture of applicable third-party service providers;
g.all employees are required to complete periodic trainings that cover security and privacy best practices and company policies;
h.we have prepared and regularly review and test our business continuity, disaster recovery and other back-up plans, including as they relate to cybersecurity incidents; and
i.we perform periodic simulations of attack scenarios by an internal “Red Team” to test the efficacy of both security controls and our tactical incident response procedures.
We also work with third-party cybersecurity and data privacy professionals as part of the design and implementation of our information security program, including our auditors, independent assessors (for example, for penetration testing) of our cybersecurity program, internal and external legal counsel, and other consultants.
We have a documented incident monitoring, escalation and reporting process and procedure that we believe to be effective in detecting and analyzing cyber incidents as they occur to determine appropriate response action and reporting, including the materiality of any such incidents to our financial condition and operations. This process includes:
a.continual monitoring of our systems and logs by both dedicated cybersecurity internal and outsourced staff;
b.immediate escalation to and review by our CISO of certain signals, including evidence of external threat actors, ransomware attacks, data exfiltration, identity compromise or unusual requests from management or certain departments;
c.if deemed appropriate, reporting by our CISO to the Company’s Management and its Disclosure Committee, comprised of multi-disciplinary senior leaders across the organization, including representatives of our accounting, human resources, finance, information technology and legal functions, and consultation with internal and external legal counsel, for further review and determination of the scope and materiality of the incident or incidents, including whether public disclosure is appropriate or required; and
d.informing the Audit Committee of our Board of Directors (the “Board”) of significant or material cybersecurity incidents, as appropriate.
All incidents are documented and recorded and catalogued for further review by the CISO and their team. Incidents that are deemed to be significant and/or rise to the level of a “security breach” are documented in a security incident register as part of our established vulnerability monitoring and incident response procedures.
While we, our clients and our vendors are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this report. We have faced—and in the future may face—sophisticated attacks, including attacks referred to as advanced persistent threats, which are cyberattacks aimed at compromising our intellectual property and other commercially sensitive information, such as the source code and game assets for our software or confidential customer or employee information, which may remain undetected for prolonged periods of time. In September 2022, we experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from Rockstar Games’ systems, including early development footage for the next Grand Theft Auto. Subsequently, also in September 2022, an unauthorized third party illegally accessed credentials for a vendor platform that 2K Games uses to provide help desk support to its customers. The unauthorized party sent a communication to certain players containing a malicious link. 2K Games immediately notified all affected users and took steps to restrict further unauthorized activity until service was restored. In connection with this activity , we have incurred certain immaterial incremental one-time costs related to
34
consultants, experts and data recovery efforts and we generally expect to incur additional costs related to cybersecurity protections in the future.
In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost client revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services, client dissatisfaction, reputational harm, and loss of investor confidence. See Item 1A, Risk Factors, for more information on the cybersecurity threats facing our Company.
Governance
Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including, through the Audit Committee, cybersecurity and information security risk management and controls. As part of its oversight function, the Board, directly and through its Audit Committee, oversees the Company’s risk assessment and risk management policies, including related to cybersecurity. At least semi-annually (with respect to the Audit Committee) and annually (with respect to the Board), our CTO and CISO report to the Audit Committee or the Board addressing a broad range of topics, including significant cybersecurity incidents that have occurred, if any, since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.
Our senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CTO and CISO have primary responsibility for managing our information security program and efforts, including with respect to cybersecurity. They work closely with key stakeholders, including internal committees such as our Cyber Steering Group, peer institutions, and industry groups, in order to manage cybersecurity and information security risk. Our internal audit team is responsible for testing and auditing our information-technology internal controls. In addition, leaders from our communications, finance, legal and risk teams participate in incident response training, including tabletop exercises, designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency.
We believe our information technology team to be well-qualified in this area. These qualifications include collective decades of professional experience in the field, in both private enterprise and government, and relevant training and certifications, such as Certified Information Systems Security Professional (CISSP) certification, ISO 27001 certification, and other technical cybersecurity certifications from ISC2, the SANs Institute and OffSec as well as recent participation in IT and cybersecurity programs organized by leading educational institutions with expertise in the field.