Light & Wonder, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Light & Wonder, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:23:26 EST.

Filings

10-K filed on 2026-02-24

Light & Wonder, Inc. filed a 10-K at 2026-02-24 16:23:26 EST
Accession Number: 0000750004-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have developed, implemented and maintained robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. These measures are included within our overall risk management process. As part of this process, all detected cybersecurity threats and incidents are logged and escalated to the Chief Information Security Officer ("CISO") and Chief Compliance Officer, who report to our Chief Legal Officer. Annually or more frequently if needed, the CISO meets with the other stakeholders to assemble the company's Risk Register. Cyber risks are an integral part of this process, and the CISO and their team regularly assess the current cyber risk landscape, assess L&W's susceptibility to those cyber risks and use that analysis in assembling the Risk Register. We follow a formal cybersecurity incident response policy, which provides for use of third-party service providers where appropriate. Our cybersecurity incident response policy incorporates recommendations from the International Organization for Standardization ("ISO") and the NIST, and it includes proactive steps to prepare for attempts to compromise our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents, we undertake the below activities, among others: - monitor emerging data protection laws and implement changes to our processes designed to comply; - undertake an annual risk assessment and review of our consumer facing policies, business changes and statements related to cybersecurity, or more frequently as needed; 47 - proactively inform our customers of substantive changes related to customer data handling; - conduct annual customer data handling and use requirements training for our employees and contingent workers; - conduct annual cybersecurity management and incident training for employees and contingent workers involved in our systems and processes that handle sensitive data; - conduct regular phishing email simulations for employees and contingent workers with access to corporate email systems to enhance awareness and responsiveness to such threats; - through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data in accordance with local laws and regulations; - run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; and - use an internal incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident. We use third-party vendors or service providers to perform certain services, including regular assessments of our cybersecurity program such as cyber maturity assessments and penetration tests; evaluation and approval of our critical business partners and vendors; and participating in incident response processes. As part of our cybersecurity incident response policy, we identify, evaluate and mitigate risks posed from engaging with third-party vendors and service providers. As of December 31, 2025, we are not aware of any cybersecurity incident in the past year that materially affected or was reasonably likely to materially affect our operations, business, results of operations, cash flows or financial condition. Governance and Oversight The Board of Directors is central to oversight of cybersecurity risks. The Board of Directors is composed of members with diverse expertise, including risk management, technology, finance and legal, and they have appropriate access to management and third parties (as deemed necessary), equipping them to oversee cybersecurity risks effectively. Day-to-day cybersecurity monitoring and oversight activities are delegated to management. Our CISO is primarily responsible for assessing, monitoring and managing cybersecurity risks, including those presented by third-party vendors or service providers, as well as overseeing employee training programs. Our CISO has served in this role since July 2019, has a Master's Degree in Information Security from the University of London, has been working in technology risk management since the early 1990s, holds Certified Information Systems Security Professional status and is a member in good standing of the Institute of Electrical and Electronics Engineers ("IEEE") and the International Information System Security Certification Consortium ("ISC2"). The CISO reports at least annually to the Board of Directors on material cyber risks, including those identified in our business and rising threats, and the current state of L&W's information security. The CISO and his team evaluate quantitative and qualitative factors to determine if a cybersecurity threat or incident needs to be escalated to other members of management and ultimately to the Board of Directors. The factors evaluated include but are not limited to: actual or potential monetary damages, number of impacted employees or customers, nature of the records compromised, potential impact on customer relationships, public knowledge and likely effect on L&W's reputation. Depending on the severity of the impact on these factors, management, including the CISO, Chief Compliance Officer and CAO, meets as part of a management committee to determine if an incident is material. In the event the management committee determines that a cybersecurity incident or threat is material, the incident or threat is elevated and reviewed with our Board of Directors. The management committee reports all incidents requiring a materiality assessment to the Chief Legal Officer, regardless of whether such committee ultimately determines a cybersecurity incident to be material. For additional information regarding how cybersecurity threats could materially affect or are reasonably likely to materially affect our business strategy, results of operations or financial condition, see the risk factors captioned " Our success depends on the security and integrity of the systems and products we offer, and security breaches, including cybersecurity breaches, or other disruptions could compromise our information or the information of our customers and expose us to liability, which would cause our business and reputation to suffer, " " We rely on information technology and other systems, and any failures in our systems or errors, defects or disruptions in our products and services could diminish our brand and reputation, subject us to liability and have disrupted and could disrupt our business and adversely impact our results, " and " If we, our third-party vendors or service providers, our customers or a company we acquire sustains cyber-attacks or other privacy or security incidents, including those that result in security breaches, we could suffer a loss of sales and increased costs, exposure to significant liability, reputational harm, regulatory fines or punishment and other negative consequences" under the heading " Risk Factors " in Part I, Item 1A of this Annual Report on Form 10-K for additional information. 48

Company Information