Churchill Downs Inc 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Churchill Downs Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:36:42 EST.

Filings

10-K filed on 2026-02-25

Churchill Downs Inc filed a 10-K at 2026-02-25 16:36:42 EST
Accession Number: 0000020212-26-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a comprehensive process for detecting, assessing, and managing material risks from cybersecurity threats as part of our overall enterprise risk management system and processes. Our Chief Technology Officer ("CTO") oversees our Chief Information Security Officer ("CISO") and a dedicated team of information security professionals who are responsible for our cybersecurity risk management program. Our CISO oversees our information security professionals' efforts to prevent, detect, mitigate, and remediate cybersecurity and other emerging technology risks and incidents and the efforts for assessing and managing our material risks from cybersecurity threats. Our cybersecurity and risk management program includes technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools, and related services from third-party providers. Our CISO has over twenty years of extensive experience in information technology and security. Our cybersecurity risk management program is informed in part by the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF") as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not mean that we meet any particular technical standards, specifications, or requirements of the NIST CSF. We routinely engage consultants and other third parties to assist with our cybersecurity risk management, including third-party penetration tests of our various information technology environments and certain assessments from time to time to assist us in evaluating our program against various industry or best practice standards. Our cybersecurity risk management program includes certain components to assist in managing third-party risk. For example, w e require contracts with certain third-party vendors that have access to confidential data or key systems to include certain minimum data protection and notification requirements, where applicable. We also carry cybersecurity insurance with coverage for costs associated with a cybersecurity incident. We have established an incident response plan to address and guide our employees and management on our response to a cybersecurity incident. The Company has two management committees that assist with cybersecurity incidents and cybersecurity and privacy risk management. These committees consist of senior leadership and cross-functional members from across our organization. The Consumer Data Privacy Committee assists with identifying and managing consumer data privacy issues. The Cybersecurity Disclosure Committee ("CD Committee") assists senior management in fulfilling their responsibilities for oversight of the accuracy and timeliness of disclosures made by the Company in response to cybersecurity incidents and vulnerabilities. In the event a potentially significant cybersecurity incident is identified by our information security team, such incident is reported to the CD Committee to consider applicable disclosures, with the assistance of outside counsel as needed. Senior leadership also prepares an enterprise risk management report identifying and evaluating enterprise risks, including cybersecurity risks, which is regularly presented to the Audit Committee. Our executive leadership team, along with oversight from the Audit Committee of the Board of Directors , are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the Company. The Audit Committee oversees the processes by which management assesses the Company's exposure to cybersecurity risks and evaluates the guidelines and policies governing the Company's monitoring, control, and minimization of such risks. Our CTO regularly reports to the Audit Committee regarding cybersecurity matters. As of the date of this report, the Company is not aware of any cybersecurity risks that have, or are reasonably likely to, materially affect us, our business strategy, results of operation, or financial condition. Although we have invested in information security and monitor our systems on an ongoing basis, there can be no guarantee that such efforts will in the future prevent compromises to our information technology systems that could have a material adverse effect on our business. For additional information concerning cybersecurity risks we face, refer to Part I, Item 1A, Risk Factors.

Company Information