DiamondRock Hospitality Co 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

DiamondRock Hospitality Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 15:12:10 EST.

Filings

10-K filed on 2024-02-28

DiamondRock Hospitality Co filed an 10-K at 2024-02-28 15:12:10 EST
Accession Number: 0001298946-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We and our property managers rely on information technology in our operations, and any material failures, inadequacies, interruptions, security failures, social engineering attacks or cyber-attacks could harm our business. To help manage these risks, we engage and rely on external experts, internal auditors, and third-party assessors, including an information technology managed services provider. Our managed services provider currently provides us with both a virtual chief information security officer (vCISO) and a virtual chief information officer (vCIO), who offer us advice on technology, infrastructure, management, and productivity in relation to our information technology capabilities. Our current view of cybersecurity risk is informed by a risk assessment conducted by a leading third-party assessor based on a recognized industry framework, which evaluated our cyber risk management controls. Our managed services provider also conducts periodic assessments of certain applications on our systems to determine, in part, any necessary security improvements. Our senior management reviews assessments performed by third-party assessors and our managed services provider to determine the appropriate treatment of identified risks. -35- Table of Contents We have also developed and have begun implementing a cyber risk management program for our third-party property managers. This program aims to assess the cybersecurity maturity of various commercial properties that we own through an evaluation of our property managers cybersecurity risk profile. We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our data and systems. For more information about the cybersecurity risks we face, see Item 1A “Risk Factors.” Governance Related to Cybersecurity Risks DiamondRock engages a managed services provider, which includes vCISO and vCIO services, to assist DiamondRock with the identification, monitoring, and management of cybersecurity risks. Our managed services provider reports periodically to our management team, including our Chief Accounting Officer & Treasurer and General Counsel & Chief Risk Officer. These senior executives then brief the Board on information regarding security matters at least quarterly. Additionally, we provide cybersecurity training for all Board members and senior executives. As part of its charter, the Audit Committee oversees our policies with respect to risk assessment and risk management, including with respect to cybersecurity risks. The Audit Committee administers its risk oversight function by receiving regular reports from members of senior management, including the Chief Accounting Office & Treasurer and General Counsel & Chief Risk Officer, on areas of material risk to the Company. Our Audit Committee discusses DiamondRock s cybersecurity program at least annually, and receives quarterly updates from internal audit or management on cybersecurity incidents or other developments. Our Board of Directors plays an important role in the risk oversight of the Company. Our Board is involved in risk oversight through its direct decision-making authority with respect to significant matters and the oversight of management by the Board s committees. Our Board also relies on management to bring significant matters impacting DiamondRock to its attention. -36- Table of Contents

Company Information