Soho House & Co Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Soho House & Co Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 19:24:44 EDT.

Filings

10-K filed on 2024-03-15

Soho House & Co Inc. filed an 10-K at 2024-03-15 19:24:44 EDT
Accession Number: 0000950170-24-032418

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber Security. Management policies and procedures We recognize the need to protect our data, systems and technology. We have described related risks in Item 1A under the heading Risks Related to our Technology and Data. We have previously assessed and periodically measure our security maturity using the US National Institute of Standards and Technology Cybersecurity Framework. ( NIST CSF ) supported by other internal and third party assessments. Gaps or perceived weaknesses in our NIST CSF score are highlighted to our Cybersecurity Risk Committee and subsequently to the Board of Directors. A reassessment of our maturity using NIST CSF is being carried out in the early part of 2024. These assessments allow us to prioritize investment into those areas which provide the greatest improvement in the CSF scoring and by implication, our ability to identify, protect, detect, respond and recover from information and cybersecurity incidents. Risks are recorded in OneTrust and are formally assessed monthly, considering likelihood and potential impact and mitigating actions are implemented where possible to reduce identified risks. Controls designed to reduce or eliminate risk are designed into our technology, processes and management of third parties. We conduct regular vulnerability scanning and use a third party for regular penetration testing designed to help us identify new weaknesses or vulnerabilities. In addition, we use the same third party to help us conduct cybersecurity incident simulation which is subsequently used to inform updates to our Cybersecurity Incident Response Plan. We also have procedures designed to assess risks related to the use of third-party suppliers. In the previous 12 months, we have not identified any risks from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. For additional information about the cybersecurity risks we face, see the risk factors entitled, A cybersecurity attack, data breach or other security incident experienced by us or our third-party service providers may result in negative publicity, claims, investigations and litigation and adversely affect our business, results of operations and financial condition, and If we fail to properly maintain the 41 confidentiality and integrity of our data, including member and customer credit or debit card and bank account information and other PII, or if we fail to comply with applicable laws, rules, regulations, industry standards and contractual obligations relating to data privacy, protection and security, it may adversely affect our reputation, business and operations, in Item 1A Risk Factors. Governance We have implemented a governance program which facilitates senior management oversight of cybersecurity risk management. An operational risk group comprising senior SHCO Cyber Risk and third party Cyber Risk professionals together with the IT Infrastructure lead meet monthly to review emerging risks, progress with mitigation of identified risk and prioritization of risk reduction activities. The output from this group is shared quarterly with the Cyber Security Risk Committee ( CSRC ) a Board Sub-Committee which comprises the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Technology Officer (CTO), Chief Legal Officer (CLO) and Director of Information Security. The CSRC is responsible for reviewing the top strategic cyber risks, progress against cyber maturity improvement and recommending funding and resource requirements. The CSRC reports twice per year to the Audit Committee and the Board. The CSRC is also the body that collectively assess materiality in the event of a cybersecurity incident and meets as required to assess materiality. Management s role and relevant experience in assessing and managing cybersecurity The NIST CSF is used to assess cybersecurity maturity. An initial baseline assessment has been used to inform our Cybersecurity Strategy and periodic assessments are used to update the NIST CSF scoring. These assessments are carried out by an independent third party to provide appropriate objectivity and challenge. In addition, we are progressing towards certification to the international information security management standard - ISO27001 and the related standard ISO27701 for privacy information management. Execution of our cybersecurity strategy is overseen by our Director of Information Security who is a qualified CSIM, CISA and a Fellow of the UK Chartered Institute of Information Security and has over 30 years of experience in cyber security. The Director of Information Security provides the CTO with periodic updates and also chairs the Cyber Security Risk Committee which provides a forum for senior management to discuss cyber risk management in greater detail.

Company Information