MARRIOTT INTERNATIONAL INC /MD/ 10-K Cybersecurity GRC - 2026-02-10

Page last updated on February 10, 2026

MARRIOTT INTERNATIONAL INC /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-10 13:35:55 EST.

Filings

10-K filed on 2026-02-10

MARRIOTT INTERNATIONAL INC /MD/ filed a 10-K at 2026-02-10 13:35:55 EST
Accession Number: 0001048286-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We manage risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, through our overall enterprise risk management process, which is overseen by our Board. As part of our enterprise risk management process, management has established a global information security program, which encompasses a dedicated team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. These policies, procedures, and processes are informed by recognized frameworks established by the National Institute of Standards and Technology ("NIST") and the International Organization for Standardization, as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of the data that is created, collected, stored, and used to operate our business. We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, vulnerability scans, penetration tests, and engagement of third parties to conduct analyses of our information security program. We obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. We also maintain a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with key third-party service providers, hotel owners, and other companies with whom we do business. With respect to information security incident response, we maintain a Global Information Security & Privacy Incident Response Plan ("IRP"), which applies to information security incidents involving properties owned, leased, or managed by Marriott, as well as our above-property business locations. Our IRP sets out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. For properties that are not owned, leased, or managed by Marriott, the franchisees, licensees, or other applicable counterparties are generally responsible for information security at such properties and the systems and business processes related to information security that are under their direction and control. Franchisees and licensees are typically required to comply with Marriott brand standards relating to information security, which include an obligation to report relevant information security incidents to us. In the 2024 fourth quarter, we reached final resolutions with the FTC and the AG Offices in relation to the Data Security Incident. The resolutions with the FTC and the AG Offices include various long-term requirements relating to our data privacy and information security programs. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. However, there can be no assurance that we, our hotel owners, our third-party service providers, or other companies with whom we or they do business, will not experience a cybersecurity threat or incident in the future that could materially adversely affect our business strategy, results of operations, or financial condition. See the discussion about the Starwood Data Security Incident under the "Litigation, Claims, and Government Investigations" caption in Note 7 to our financial statements, the discussion of the same in Part II, Item 7, "Management's Discussion and Analysis of Financial Condition and Results of Operations," and the discussion of cybersecurity risk in Part I, Item 1A, "Risk Factors." Governance Our Board has established a Technology and Information Security Oversight Committee ("TISOC") to assist the Board in providing oversight of matters pertaining to technology platforms and systems, information security, and privacy, including risks from cybersecurity threats; management's efforts to monitor, provide governance over, and mitigate those risks; significant cybersecurity incidents; and emerging technology and trends, including AI. The TISOC meets at least four times per year and receives reports from our global information security team and other members of management about these matters. The Board's Audit Committee, which assists the Board in providing oversight of matters pertaining to the Company's internal control environment, compliance with legal and regulatory requirements, and risk assessment policies and procedures, receives reports regarding information security and technology-related audits conducted by our internal audit department. Risks from cybersecurity threats are also discussed with the full Board as part of regular legal updates and management presentations, the Board's oversight of enterprise risk management, and periodic education sessions. To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee , as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company's President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security, data privacy, and AI programs; oversee the implementation of our information security, data privacy, and AI risk management strategy; and identify, consider, and escalate information security, data privacy, and AI issues that may arise in our business. Our global information security team led by our Chief Information Security Officer ("CISO") works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally. Cybersecurity incidents are escalated to our CISO and members of our global information security team, members of senior management, and members of the Board to the extent required under our IRP. Our CISO and other members of senior management responsible for our information security program have extensive experience assessing and managing risks from cybersecurity threats, including decades of experience in information technology and information security positions; serving in information technology leadership positions at other large public companies; and having other significant experience in the areas of risk management, information technology, and information security. Our current CISO will be departing the Company voluntarily in late February 2026 for a position in another industry. We are undertaking a search for his replacement and expect to appoint a new CISO. Prior to such appointment, we intend to appoint an information security professional with appropriate expertise to act in an interim capacity to oversee our global information security program who will report to our Global Chief Information Officer and perform the CISO functions.

Company Information