Flutter Entertainment plc 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

Flutter Entertainment plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 06:09:58 EDT.

Filings

10-K filed on 2024-03-26

Flutter Entertainment plc filed an 10-K at 2024-03-26 06:09:58 EDT
Accession Number: 0001193125-24-076966

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The secure collection, maintenance, processing and transmission of confidential and sensitive information, including personal data, is a critical element of our operations. We rely on encryption and authentication technology licensed from third parties in an effort to securely transmit certain confidential and sensitive information, including credit card numbers. Our information technology and other systems, and those of our third-party service providers, that collect, maintain, process and transmit customer, employee, service provider and business partner information are susceptible to increasing threats of continually evolving cybersecurity risks. Third-party supply risk is managed by functional teams for the Group. Our third-party risk management process ensures that we evaluate relevant third-party cybersecurity controls through a cybersecurity questionnaire. Risks are identified and assessed, and we include security addendums to our contracts where applicable. We have worked to develop and further implement our supplier-risk framework to help us to manage our suppliers more holistically across the lifecycle. In addition, we have an external third-party threat intelligence service that monitors the dark web and other intelligence sources to provide real-time threat information to the Group and for selected critical suppliers. This information is a proactive position on cyber threats. The intelligence is acted upon and disseminated to the relevant functional teams for action and information. 76 Table of Contents We have an established cyber risk appetite, framework and policies to support risk-based decisions on where and how to allocate security resources. The management of cybersecurity related risks is integrated into our overall enterprise risk management process. Risks are regularly identified, assessed, monitored and reported on to ensure that we are able to allocate security resources appropriately. Risks get reported at divisional, executive and Board risk committees. We are regularly audited by various internal and external bodies that validate compliance with regulatory requirements and industry standards. We perform periodical internal assessments of the design and operating effectiveness of our cybersecurity controls, including penetration testing. Dedicated cyber teams in each division and at the Group level perform assurance activities against the Flutter cyber risk and control framework. A dedicated, independent IT internal audit team performs several audits each year on a risk-based approach to key and changing cyber risks. Internal audits cover a variety of areas, including: patch and vulnerability, cyber threat management, security incident management, access management, network security, data loss prevention and business continuity planning. All findings are tracked to resolution to continually improve our cybersecurity maturity. We have specialist security teams available 24/7 around the world to respond to security incidents should they occur. We maintain cyber insurance to further reduce the consequences of certain types of incidents, and we disclose material incidents to relevant regulatory bodies. We have third-party providers who provide real-time and proactive threat and intelligence and retainer services that assist in forensics and incident support alongside retained legal counsel services. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. We have engaged a third party to enhance our procurement operations model and processes. These enhancements include: The extension of the rollout of tools across the business to strengthen the controls around spend governance in areas such as contract pre-approval and spend authorization. The implementation of tools to risk-assess critical suppliers globally and help identify mitigation strategies to protect supply. The formation of cross-disciplinary supplier risk forums to routinely monitor the global supplier risk landscape for developments and help manage emerging threats. At this time, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. That said, as discussed more fully under Item 1A. Risk Factors, the sophistication of cyber threats continues to increase, and we cannot assure that our systems and processes will be successful, that we will be able to anticipate or detect all cyberattacks or other breaches, that we will be able to react to cyberattacks or other breaches in a timely manner or that our remediation efforts will be successful. Governance Role of Management The Group Chief Information Security Officer (CISO) is responsible for the Group s cyber strategy and policies and supporting risk, assurance and reporting processes. Our CISO has over 20 years of extensive experience in cyber security domains and information security as Group CISO, and in senior leadership roles in the financial and technology sectors, alongside a previous career in military intelligence. In addition, there are divisional chief information security officers who are supported by over 250 cybersecurity specialists are employed across Flutter to support the implementation of our cyber strategy. 77 Table of Contents We have established an Operational Risk and Compliance Committee ( ORCC ), which includes our Chief Financial Officer, Chief Legal Officer, Chief Operating Officer, Chief Information Officer (CIO), and Group directors across all functional teams. This committee, which meets monthly, oversees how risk and compliance standards are operationalized and enforced throughout the Group, including the implementation of risk mitigation activities where required. Areas that the ORCC covers, among others, include the Group s cybersecurity risk and control environment and the enterprise risks and control environment of technology and legal risks. Role of the Board The Risk and Sustainability Committee is responsible for the review and oversight of issues related to the key technology risks facing the Company, including, but not limited to, the Company s programs, policies, practices and safeguards for information technology, data privacy and protection, cybersecurity and fraud, identification, assessment, monitoring, mitigation and the overall management of those risks, and the Company s cyberattack incident response and recovery plan. The Risk and Sustainability Committee receives standing quarterly updates from the CISO and CIO on, among other things, our divisional and Group-wide cyber risks, divisional progress on cyber initiatives, external insights, incident updates and post incident reviews, our cyber strategy and our views of the emerging threat landscape. In addition, the Board receives regular updates via the Chair of the Risk and Sustainability Committee and various management committees, including the ORCC, Group internal audit, Group Risk and Group internal controls, and annual updates from the CISO and CIO on the state of cybersecurity across the Group. The Board is also notified of any relevant issues or incidents.

Company Information