VIAD CORP 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

VIAD CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 14:35:03 EST.

Filings

10-K filed on 2024-03-01

VIAD CORP filed an 10-K at 2024-03-01 14:35:03 EST
Accession Number: 0000950170-24-023724

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBER SECURITY Cybersecurity Risk Management and Strategy We maintain a team, tools, policies, and processes for identifying, assessing, and managing material risks from cybersecurity threats. Threats like malware attacks, system vulnerabilities, and data breaches are actively identified, monitored, evaluated, and mitigated along with other Company risks. Our security team maintains centralized documentation regarding known security risks and mitigation. Consideration of material risks from cyber threats is integrated into our enterprise risk management processes and is a standing agenda item for discussion at our Audit Committee meetings. An Information Security Executive Committee representing multiple areas of the Company is responsible for assessing material risks from cybersecurity threats and represents multiple functions of the business including Finance, Human Resources, Legal, and the Information Technology ( IT ) departments. We have certain employee cybersecurity awareness campaigns and training designed to help promote a culture of cybersecurity awareness throughout the organization. Cybersecurity tools, processes, policies, and controls are periodically reviewed and updated in response to changes in the business environment and evolving threats, as well as to align with broader risk management objectives. Our information security function, led by our Chief Information Officer ( CIO ), implements and maintains the processes and controls to help identify, assess, and manage material risks from cybersecurity threats. These controls include, but are not limited to, the following Center for Internet Security ( CIS ) controls: Account Management; Access Control Management; Continuous Vulnerability Management; Network Infrastructure Management; Incident Response Management; Security Awareness and Skills Training; and Data Protection - Encrypt Data on End-User Devices. Supporting these controls are specific security measures that include threat intelligence monitoring, vulnerability scanning, and policy enforcement. We use third-party service providers to assist us in identifying, assessing, and managing material risks from cybersecurity threats, including professional service firms, legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, and forensic investigators. We have a Cybersecurity Incident Response Plan ( IRP ) that includes procedures for responding to and, to the extent applicable, disclosing material cybersecurity incidents in a timely manner. We have third-party risk management processes designed to assess risks from key vendors and suppliers, including application providers and hosting companies. Key software service providers utilized by the Company undergo a review process for security, reliability, and effectiveness. We have processes in place to address access to our network by such third parties, to the extent applicable, including network access controls designed to provide access on a least privilege basis. For a discussion of risks from cybersecurity threats that may materially affect the Company, see Risk Factors under the heading Cybersecurity and Data Privacy Risks . (Part I, Item 1A of this 2023 Form 10-K). Cybersecurity Governance Cybersecurity risk management is a part of our risk management process and is subject to oversight by our Board of Directors and management. Our Board of Directors has delegated oversight and mitigation of risks from cybersecurity threats to our Audit Committee. Our Audit Committee receives quarterly reports from either our CIO or our General Counsel concerning any significant cybersecurity threats, risks, and the tools and processes we have implemented for mitigation. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of management including the following: 14 The Information Security Executive Committee consists of our General Counsel, Chief Accounting Officer, Chief Compliance Officer, CIO, and Vice Presidents of Human Resources from select business units. They are responsible for setting broad policy and communicating to the Chief Executive Officer, Chief Financial Officer, and the Board of Directors on potential material cybersecurity incidents, which may require disclosure. The Information Security Council consists of our CIO, Chief Information Security Officer ( CISO ), in-house information security experts, and information technology experts and leaders from across the Company. The CIO leads this committee and communicates with the Information Security Executive Committee as required. The Information Security Team consists of cybersecurity professionals primarily responsible for managing cybersecurity at Viad. This team has the primary responsibility for identifying, assessing, and managing material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware, software, and critical data. This team is led by our CIO, who has over 30 years of experience in information technology including cybersecurity oversight. This team includes the following: The CISO is an external expert who works with the Viad Information Security team on a fractional basis, reporting directly to the CIO and reporting periodically to our Board of Directors. The CISO is an information security professional with over 20 years of experience guiding and overseeing multiple companies development and implementation of information security strategy. The Vice President of Global Infrastructure is an internal role directly reporting to the CIO and responsible for implementing, maintaining, and providing oversight of the IT Infrastructure and the Information Security Team. The Security Architect is an internal role who leads the day-to-day operations of the Information Security team and oversees the individual analysts and IT experts on the team. The Security Incident Response Team ( SIRT ) is responsible for executing the IRP. The SIRT comprises individuals from multiple departments, divisions, and disciplines. Members of the SIRT are trained in incident response and reporting procedures.

Company Information