Hyatt Hotels Corp 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

Hyatt Hotels Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 06:06:38 EST.

Filings

10-K filed on 2026-02-13

Hyatt Hotels Corp filed a 10-K at 2026-02-13 06:06:38 EST
Accession Number: 0001468174-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, including guest and colleague information. We design and assess our security program using an internally developed risk management framework based on recognized industry security standards. The framework is the basis for our cybersecurity policy, cybersecurity standards, and our processes for managing exceptions to those policies. Additionally, a third-party assessment of our framework maturity is performed regularly by a professional advisory firm with cybersecurity expertise . This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use recognized standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include, but are not limited to, the following: - cybersecurity and information technology governance, risk management, and compliance ("ITGRC") departments principally responsible for (i) our cybersecurity risk assessment, management, and compliance processes, (ii) the development and maintenance of our security controls, and (iii) our monitoring for and response to cybersecurity incidents; - risk assessments designed to help identify material cybersecurity threats to our critical systems and information, including, but not limited to, risk and compliance assessments, security scanning and testing, and periodic updating of our risk management framework; - the use of external service providers, where appropriate, to assess, evaluate, or otherwise assist with aspects of our security processes, including, but not limited to, cybersecurity tools and technology, cybersecurity services, threat intelligence information, professional services consulting, and contract staff augmentation; - training of our employees in cybersecurity awareness and payment card compliance, such as training for incident response personnel, software developers, and senior management in cybersecurity-related topics including, but not limited to, incident response, secure software development, and training commensurate with job responsibilities; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management program designed to evaluate the cybersecurity capabilities of key vendors based on our assessment of their criticality to our business and respective risk profile. The franchisees, licensees, hospitality venture partners, or other applicable counterparties of properties that are not owned, leased, or managed by Hyatt are generally responsible for cybersecurity at such properties and the information systems, security measures, and related business processes that are under their direction and control. Franchisees, licensees, and hospitality venture partners are typically required to comply with Hyatt brand standards relating to cybersecurity, which include an obligation to report relevant information security incidents to us. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. There can be no assurance that our cybersecurity risk management program and processes, including our policies, procedures, standards, and controls, will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A, "Risk Factors-Risks Related to Our Business-Cyber risk and the failure to maintain the availability or security of our systems or customer, colleague, or Company data could adversely affect our business, harm our reputation, and/or subject us to costs, fines, penalties, investigations, enforcement actions, or lawsuits." Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and risks, including management's implementation of our cybersecurity risk management program. Our board of directors and the Audit Committee receive periodic reports from our Chief Information Security Officer ("CISO") on our cybersecurity risks . In addition, our CISO updates the Audit Committee, when deemed appropriate, regarding cybersecurity incidents the CISO considers to be significant or potentially significant. The Audit Committee reports to the full board of directors regarding its activities, including those related to cybersecurity. The full board of directors also receives periodic briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our CISO, internal cybersecurity personnel, and/or external experts as part of the board of directors' continuing education on topics that impact public companies. Our cybersecurity department, comprised of various levels of management and led by our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. The cybersecurity and ITGRC departments have primary responsibility for our overall cybersecurity risk management program and supervise both our internal cybersecurity personnel and our retained external cybersecurity consultants and suppliers. Our CISO and cybersecurity and ITGRC departments collectively possess relevant expertise in cybersecurity architecture, engineering, governance, risk management, compliance, operations, vulnerability management, third-party risk management, threat intelligence, and cloud security areas. Our CISO has more than twenty years of experience in information technology and/or information security, including more than eight years in such positions in the hospitality industry. In addition, our cybersecurity and ITGRC departments provide reporting to our Risk Council that is led by our Senior Vice President of Internal Audit and is comprised of certain members of management from diverse functional areas and business units, including risk, finance, legal, accounting, tax, operations, cybersecurity, privacy, human resources, and environmental sustainability. The Risk Council is responsible for identifying, assessing, prioritizing, and monitoring critical risks of the Company. The Risk Council meets quarterly and assesses risks based on potential impact to the Company, both in terms of inherent risk, or the risk exposure without consideration for how the Company manages the risk, as well as residual risk, or the risk exposure remaining after consideration of the Company's existing risk mitigation efforts. The Risk Council periodically reports to the board of directors and the Audit Committee regarding the Company's risk management processes and procedures . Our CISO and the personnel of our cybersecurity and ITGRC departments take steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our information technology environment.

Company Information