ONESPAWORLD HOLDINGS Ltd 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

ONESPAWORLD HOLDINGS Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:49:26 EST.

Filings

10-K filed on 2024-02-29

ONESPAWORLD HOLDINGS Ltd filed an 10-K at 2024-02-29 07:49:26 EST
Accession Number: 0000950170-24-022654

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CY BERSECURITY Risk Management and Strategy We manage cybersecurity risks as part of our oversight, evaluation, and mitigation of enterprise-level risks. We have based our cybersecurity program on defined industry accepted frameworks with the goal of building enterprise resilience against an evolving cybersecurity threat landscape and to respond to cybersecurity threats as they materialize. Our program includes identification, assessment, monitoring, and management components, as well as informational and escalation components designed to inform management and the Board of prospective risks and developments. Our information security program encompasses functions dedicated to both proactive and reactive management of cybersecurity threats. We implement our cybersecurity program internally through maintaining cybersecurity policies; deploying updated security technologies; using third-party services and consultants to support and improve our cybersecurity program. Our proactive management of cybersecurity risks entails many actions, including actively monitoring our information technology systems; engaging service providers to monitor and, as appropriate, respond to cybersecurity threats; developing and updating incident response plans to address potential cybersecurity threats; and training our personnel on cybersecurity. We regularly engage third-party auditors and consultants and leverage our internal information security, audit, and compliance functions to assess various facets of our cybersecurity program. We also maintain enterprise-wide processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. We assess cybersecurity contingencies within our overall business continuity risk management planning process. Our information technology and information security teams utilize various technology tools to prevent, monitor, detect, and respond to cybersecurity threats. Our incident response policy outlines processes, roles, responsibilities, notifications, and other communications applicable to the assessment, mitigation, and remediation of realized cybersecurity events. The nature and scope of assessed risk of a realized cybersecurity event dictates the pace and extent of relevant processes, and communications, including an evaluation of any necessary or required disclosure. Depending on its nature and scope, a cybersecurity threat may be managed within our Information 31 Security Operations Committee (ISOC), responsible for day-to-day management of cybersecurity risks, and escalated to our executive management team, the Board, and the Audit Committee, as appropriate. We have not historically been materially impacted by risks from cybersecurity threats and as of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, the breadth and scope of cybersecurity threats have grown over time and our systems and networks may be the target of increasingly sophisticated cyberattacks. For more information on our cybersecurity risks and their potential impact to our business, see Item 1A, Risk Factors Risks related to our Business We May Be Exposed to the Threat of Cyber Attacks and/or Data Breaches, which Could Cause Business Disruptions and Loss. Governance Management, under the supervision of our Chief Financial Officer (CFO) is directly responsible for assessing and managing cybersecurity risks and otherwise implementing our cybersecurity program. The CFO reports directly to the Executive Chairman. Our CFO regularly updates our Board and Audit Committee on cybersecurity matters. In addition to providing regular updates to our Board and Audit Committee, the CFO is a member of the ISOC. The ISOC is also composed of leadership from a variety of functions, including information technology, information security, audit, compliance, finance and legal (when needed), to assess and manage cybersecurity developments and risks and our internal programs. Our Chief Information Officer ( CIO ) has over 25 years experience in information technology, including cybersecurity, and is supplemented by our Information Security and Compliance Manager, who also has over 25 years of experience in audit, compliance and cybersecurity, and maintains Certified Information Systems Auditor and Certified in Risk and Information Systems Control professional certifications. In addition to the ISOC, the CFO may call upon other business and legal stakeholders across our company to help manage cybersecurity threats and incidents. Our Audit Committee is responsible for oversight of our programs, policies, procedures, and risk management activities related to information security and data protection. The Audit Committee meets regularly with the CFO and CIO to discuss threats, risks, and ongoing efforts to enhance cyber resiliency, as well as changes to the broader cybersecurity landscape. Our Board also periodically participates in presentations on cybersecurity and information technology from internal leadership and external advisors. In addition to regular presentations, management promptly updates our Board and Audit Committee regarding significant threats and incidents as they arise.

Company Information