Playa Hotels & Resorts N.V. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Playa Hotels & Resorts N.V. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:06:42 EST.

Filings

10-K filed on 2024-02-22

Playa Hotels & Resorts N.V. filed an 10-K at 2024-02-22 16:06:42 EST
Accession Number: 0001692412-24-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We believe we maintain an information technology and cybersecurity program appropriate for a company our size taking into account our operations. Management and Board Oversight The Company employs a robust system of information technology and cybersecurity controls across its enterprise to assess, identify, and manage material risks from cybersecurity threats. This framework is implemented and overseen by management s information security and compliance department, which is led by the Company s Vice President, IT Security & Compliance. The Vice President, IT Security & Compliance, who reports directly to Senior Vice President, Information Technology, has a Bachelor of Science in Commerce, with concentrations in management information systems and marketing, and has over 30 years experience in all aspects of IT, including managing development, operations, cyber security, and other key areas. The Senior Vice President, Information Technology, has an Executive Technology Leadership Certificate in IT from Cornell University and has over 25 years of IT experience leading large-scale initiatives to enhance infrastructure and architecture based on emerging technologies and strategies. The Vice President, IT Security & Compliance and Senior Vice President, Information Technology, provide regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. The Company also has a network of regional information technology directors stationed in each region where our resorts are located, who are integrated into the overall enterprise information technology security and compliance program. The Company references a recognized third-party 30 Table of Contents cybersecurity framework to evaluate and manage cyber risk within the Company. We regularly benchmark against this framework and use the findings to develop our cybersecurity roadmap for ongoing evolution and improvement. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of our information technology systems, our information security and compliance team utilizes a regularly updated cybersecurity incident response plan ( IRP ). The IRP has been designed taking into account a third-party cybersecurity framework focused on properly containing, investigating, and fully eradicating an incident. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing and resolving the incident as quickly and efficiently as possible, mitigating damage to the Company s systems and networks, minimizing impact on the Company s stakeholders, analyzing and executing upon reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team, including specified external forensic investigators and advisors, will depend on the particular facts and circumstances, the response team is led by the Vice President, IT Security & Compliance or his delegee. The plan also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. Pursuant to its charter, the Audit Committee of the Board of Directors, which consists solely of independent directors and whose chair has cybersecurity experience, reviews, discusses with management, and oversees the Company s privacy, information technology and security and cybersecurity risk exposures, including: (1) the potential impact of those exposures on the Company s business, financial results, operations and reputation; (2) the programs and steps implemented by management to monitor and mitigate any exposures; (3) the Company s information governance and information security policies and programs; and (4) major legislative and regulatory developments that could materially impact the Company s privacy, data security and cybersecurity risk exposure. The Audit Committee receives quarterly updates from the Company s Senior Vice President, Information Technology, Vice President, IT, Security & Compliance, internal audit function, and/or other members of our executive leadership team, including a detailed threat assessment relating to information technology and cybersecurity risks as well as short- and long-term plans to mitigate identified risks and invest in new technological solutions and resources to support our cybersecurity program. The Board of Directors also receives updates on cybersecurity matters from the Company s Senior Vice President, Information Technology, Vice President, IT, Security & Compliance, internal audit function, and/or other members of our executive leadership team on at least an annual basis, with periodic updates provided as needed. The Audit Committee and the Board consider cybersecurity as part of the Company s business strategy, financial planning, and capital allocation. Annually, we offer cybersecurity training programs to our Board. The cybersecurity trainings are designed to provide Board-level insight into cybersecurity strategy, leadership, and management in addition to organizational best practices to prepare, protect and respond against new and emerging cyber security risks and breaches. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Company s cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. These processes and procedures for managing material risks from cybersecurity threats are integrated into the Company s overall enterprise risk management systems and processes. Prevention and Preparation The Company employs a variety of measures to prevent threats related to privacy, information technology and security and cybersecurity, which include password protection, frequent mandatory password change events, multi-factor authentication, internal phishing testing, and vulnerability scanning and penetration testing. The Company utilizes industry leading solutions for endpoint detection and response, patch management, email security, network security, and privileged access management to provide a layered approach to data security. Third-party cyber readiness assessments are conducted on a recurring basis and third-party tools are utilized to identify potential vulnerabilities. In addition to the third-party cybersecurity framework referenced above, regular cyber security reviews are conducted with internal audit. We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, each of our associates is required to complete information security and data privacy training on an annual basis to reinforce awareness of cybersecurity risks to the organization. We recognize that third-parties that provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third-party risk from our vendors that hold financial or customer data, we maintain a vendor code of conduct, which is designed to require our third-party vendors to comply with our requirements for maintenance of passwords, as well 31 Table of Contents as other confidentiality, security, and privacy procedures. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support our preparedness we have an IRP that we regularly update, as well as a quick reference checklist and response playbooks with step-by-step actions for significant threat categories. In addition, we perform tabletop exercises and periodic drills at least once a year to test our incident response procedures, identify improvement opportunities and exercise team preparedness. We also maintain cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by our cyber defense team, notifications from employees, vendors or service providers, and notifications from third party information technology system providers. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response team designated pursuant to our IRP follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g. ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the incident response team is initially focused on containing the cybersecurity incident as quickly and efficiently as possible consistent with the procedures in the IRP. Containment procedures may include off-lining systems, including by disconnecting, disabling, or segmenting network access for computers known to be infected or impacted, installing security patches to resolve malware issues or network vulnerabilities, resetting passwords for users with accounts that were breached, or blocking accounts of insiders who may have caused the incident, and coordinating with service providers. Once a cybersecurity incident is contained the focus shifts to remediation. Where appropriate, third-party forensic providers and other managed service providers may be brought in to assist with the investigation and remediation process. We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts, including a security operations center (SOC) provider, specialists in backup and recovery, a forensic investigation firm, a ransomware recovery vendor, insurance providers and various law firms. Our IRP requires prompt notification of our senior management in the event of a cybersecurity incident that has impacted or is expected to impact the Company and prompt briefings on subsequent developments as appropriate. The IRP also addresses senior management responsibility, subject to Audit Committee oversight, with respect to disclosure determinations related to the cybersecurity incident. The IRP provides for Audit Committee and Board briefings as appropriate. Following the conclusion of an incident, the Company, with the assistance of the incident response team, will generally reassess the effectiveness of the cybersecurity program and IRP, make adjustments as appropriate and report to our senior management and Audit Committee on these matters. Cybersecurity Risks As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams. Although we make efforts to maintain the security and integrity of our information technology systems, these systems and the proprietary, confidential, and personal information that resides on or is transmitted through them, are subject to the risk of a security incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party providers. For a discussion of these risks, see Item 1A Risk Factors Cyber risk and the failure to maintain the integrity of internal or guest data could harm our reputation and result in a loss of business and/or subject us to costs, fines, investigations, enforcement actions or lawsuits. 32 Table of Contents

Company Information