Booking Holdings Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

Booking Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 17:13:01 EST.

Filings

10-K filed on 2026-02-18

Booking Holdings Inc. filed a 10-K at 2026-02-18 17:13:01 EST
Accession Number: 0001075531-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are dedicated to managing cybersecurity, privacy, and data protection and security risks. We employ various tools, processes, technologies, and controls to identify and manage such risks. Cybersecurity risk is generally integrated into our overall risk management processes. The Company's management-level risk committee (which includes representation from senior management in the finance, internal audit, cybersecurity, and legal functions, among others) identifies and assesses key risks facing the organization. This committee is tasked with ensuring risks, including those related to cybersecurity, are managed and aligning strategic objectives with an appropriate level of risk tolerance. The Company's internal audit function, with primary oversight by the Audit Committee, reviews and audits various aspects of the Company's risk management program to evaluate whether cybersecurity risks are appropriately identified and managed. The Cyber Risk Management Policy establishes the framework for our cybersecurity risk management and governance, and our security teams operationalize the policy across the Company and conduct cyber risk identification, assessment, management, and reporting. Our privacy teams are responsible for managing data protection risks, including tracking certain risks across the business. We leverage the National Institute of Standards and Technology ("NIST") frameworks for cybersecurity and privacy. We annually measure our security and privacy program maturity against the NIST frameworks and engage a third party every other year to assess against these frameworks. The results of these assessments are discussed with the Board of Directors and the Cybersecurity Subcommittee of the Audit Committee. Our processes for managing cybersecurity risks are embedded across our business. Among other things, we require all employees to complete regular data security and privacy trainings, and conduct phishing tests and specialized training such as secure coding training for our developers. We also undertake various integrated planning and preparedness activities, such as tabletop simulations, vulnerability tests, and red team exercises to evaluate the effectiveness of our security and privacy program and improve our security measures and planning. Our security teams have established procedures for identifying and managing cybersecurity incidents. We also maintain incident response and recovery plans for critical systems that address our response to a cybersecurity incident, and such plans are tested and evaluated on a periodic basis. Incidents are first triaged for severity, and then assessed and escalated as appropriate by a cross functional working group of security, privacy, and legal personnel (consulting with outside counsel or experts as appropriate). Our internal audit function performs its own cybersecurity and privacy audits and reviews certain related practices as part of assessing our internal control over financial reporting. From time to time we have taken steps to improve our practices and remedy deficiencies that have been identified. Our enterprise-wide information security program is also independently assessed every other year by a third party as part of our enterprise risk management, and the Cybersecurity Subcommittee reviews the findings. Third-party service providers upon which we depend, including global distribution systems ("GDSs"), payment service providers, and computerized central travel reservation systems, may access our data and connect to our computer networks. We define confidentiality, security, and privacy requirements through our contracting processes and perform third-party cyber risk assessments to monitor such third parties as needed. Although we expend significant resources to protect against security breaches, our existing security measures have not been and may not be successful in preventing all attacks. We have experienced cybersecurity incidents and threats. We do not believe these incidents have had a material adverse effect on our Company, including our business, results of operations, or financial condition. However, the threat landscape is continuously evolving and we, along with others operating digital platforms, face persistent and increasingly sophisticated threats. See Part I, Item 1A, Risk Factors - "Information Security, Cybersecurity, and Data Privacy Risks." Governance The Board and Audit Committee are responsible for oversight related to cybersecurity, privacy, and data protection and security. The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments. Cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the steps management has taken to manage relevant risk exposures and their potential impact on the Company's business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and the Board. 20 The individuals serving in the roles of chief security officer and chief privacy officer have enterprise-wide responsibility for managing cybersecurity, data protection and security, and privacy risks, respectively. These leaders collectively have over 25 years of relevant work experience in public companies and extensive industry expertise.

Company Information