WW INTERNATIONAL, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

WW INTERNATIONAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:29:41 EST.

Filings

10-K filed on 2024-02-28

WW INTERNATIONAL, INC. filed an 10-K at 2024-02-28 16:29:41 EST
Accession Number: 0000950170-24-022144

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In the ordinary course of business, we provide proprietary content and we collect, store and use confidential information (including, but not limited to, personal customer information and data) in connection with providing our products and engaging our employees and contractors. We have developed systems and processes designed to protect such content and information and we maintain cybersecurity insurance coverage. Our Board of Directors (the Board ) and management recognize the critical importance of protecting the confidentiality and integrity of such information and data and maintaining the trust and confidence of our members, business partners, employees, contractors and shareholders, as well as complying with applicable regulatory requirements and contractual obligations. The Board and its committees actively oversee the Company s risk management program. Cybersecurity threats and related risks are an important component of the Company s overall approach to enterprise risk management ( ERM ). We annually examine our cybersecurity program with third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology (NIST), as guidelines. Cybersecurity risk management is a Company-wide initiative. In general, the Company seeks to address cybersecurity risks through a comprehensive, multi-disciplinary approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the elements of the Company s overall ERM program, the Company s cybersecurity program includes the following key areas: Governance: As discussed in more detail under the heading Governance, the Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which is regularly updated on cybersecurity matters by the Company s Chief Information Security Officer ( CISO ), other members of management, and relevant representatives from management s committees and the Company s Internal Audit function. Collaborative Approach: The Company has implemented a comprehensive, multi-disciplinary approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments by internal and third-party experts, and cybersecurity threat intelligence. Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans pursuant to the NIST framework that fully address the Company s response to a cybersecurity incident, and such plans are evaluated on a regular basis. Third-Party Risk Management: The Company has implemented a risk-based evaluation process to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. 37 Education and Awareness: The Company provides regular, mandatory training and education for personnel regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. The Company engages in the regular evaluations of the Company s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including tabletop exercises and vulnerability testing, focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on certain of our cybersecurity measures, including audits and penetration testing. For example, we annually engage qualified third-party auditors to independently assess and attest to and/or provide certifications of compliance with the HIPAA Security and Privacy Rule, SOC2 Type 2, the Payment Card Industry Data Security Standard (PCI-DSS), and UK CyberEssentials. The results of such assessments, audits and reviews are presented to the Audit Committee and members of the Board, as appropriate, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on such assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, oversees the Company s ERM process. The Audit Committee oversees our cybersecurity program, as well as the steps management has taken to monitor and control cybersecurity threats and related risks. This oversight includes receiving reports on the regular assessments of the Company s disclosure controls and procedures to ensure that current practices account for material cybersecurity risks facing the Company. The Audit Committee receives presentations on the cybersecurity program and related risks on at least a quarterly basis. These presentations address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company s peers and third parties. The Audit Committee, and the full Board as necessary, also receive prompt and timely information regarding any cybersecurity incident that meets recognized established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Audit Committee routinely meets with our Chief Technology Officer ( CTO ) and CISO as well as outside experts as appropriate to assess cybersecurity risks and to evaluate the status of the Company s cybersecurity efforts, which include a broad range of tools and training initiatives that work together to protect the data and systems used in our businesses. Our cybersecurity management team includes our CISO and Director of Security Operations, Data Privacy Officer, CTO, Chief Financial Officer, General Counsel, and Head of Internal Audit. The CISO, in coordination with the team, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response and recovery plans. The cybersecurity management team meets regularly to review cybersecurity and data privacy strategy, receive updates, and consider the Company s current risk posture. The team meetings also build leadership consensus on cybersecurity risk management and tolerance. In the event they become aware of a cybersecurity threat or incident, employees are expected to follow established lines of communication to notify the relevant members of the cybersecurity management team and allow the relevant team members to coordinate the evaluation and response to such threats and incidents as necessary. To facilitate the Company s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the rest of the cybersecurity management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to other members of senior management and the Audit Committee when appropriate. Such plans also dictate notification responses to Company management based on the severity of the incident. The CISO and Director of Security Operations has worked in the information security field for over 15 years and holds an undergraduate degree in computer systems management and master s degrees in both cybersecurity and technology management. He has also attained multiple cybersecurity-related professional certifications and licenses, including Certified Information Systems Security Professional, and is an adjunct professor of cybersecurity at New York University and Fordham University. The CTO holds a master s degree in microengineering and has served in various leadership roles in computer engineering for more than 20 years. 38 While we have experienced cybersecurity incidents in the past, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, financial condition, cash flows or reputation. However, cybersecurity threats and/or incidents could have a material effect on the Company. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For additional information regarding the cybersecurity risks we face, see Item 1A. Risk Factors Risks Related to Technology, Security and Intellectual Property of this Annual Report on Form 10-K.

Company Information