Flutter Entertainment plc 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Flutter Entertainment plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:14:29 EST.

Filings

10-K filed on 2026-02-26

Flutter Entertainment plc filed a 10-K at 2026-02-26 16:14:29 EST
Accession Number: 0001635327-26-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The secure collection, maintenance, processing and transmission of confidential and sensitive information, including personal data, is a critical element of our operations. We rely on encryption and authentication technology licensed from third parties in an effort to securely transmit certain confidential and sensitive information, including credit card numbers. Our information technology and other systems, and those of our third-party service providers, that collect, maintain, process and transmit customer, employee, service provider and business partner information are susceptible to increasing threats of continually evolving cybersecurity risks. Third-party supply risk is managed by functional teams for the Group. Our third-party risk management process ensures that we evaluate relevant third-party cybersecurity controls through a cybersecurity questionnaire. Risks are identified and assessed, and we include security addendums to our contracts where applicable. We have worked to develop and further implement our supplier-risk framework to help us to manage our suppliers more holistically across the lifecycle. In addition, we have an external third-party threat intelligence service that monitors the dark web and other intelligence sources to provide real-time threat information to the Group and for selected critical suppliers. This information is a proactive position on cyber threats. Intelligence is acted upon and disseminated to the relevant functional teams for action and information. We have an established cyber risk appetite, framework and policies to support risk-based decisions on where and how to allocate security resources. Our cyber risk framework and associated policies and standards are modelled after established industry frameworks, including the National Institute of Standards and Technology Cyber Security Framework (NIST CSF 2.0). The management of cybersecurity related risks is integrated into our overall enterprise risk management process. Risks are regularly identified, assessed, monitored and reported on to ensure that we are able to allocate security resources appropriately. Risks get reported at divisional, executive and Board risk committees. We are regularly audited by various internal and external bodies that validate compliance with regulatory requirements and industry standards. We perform periodical internal assessments of the design and operating effectiveness of our cybersecurity controls, including penetration testing. Dedicated cyber teams in each division and at the Group level perform assurance activities against the Flutter cyber risk and control framework. A dedicated, independent IT internal audit team performs several audits each year on a risk-based approach to key and changing cyber risks. Internal audit's audit plan frequently covers cyber domains such as: patch and vulnerability, cyber threat management, security incident management, access management, network security, data loss prevention and business continuity planning. Agreed improvements are tracked through to completion. We have specialist security teams located in key locations to respond to security incidents should they occur. We maintain cyber insurance to further reduce the consequences of certain types of incidents, and we disclose material incidents to relevant regulatory bodies. We have third-party providers who provide real-time and proactive threat and intelligence and retainer services that assist in forensics and incident support alongside retained legal counsel services. As cybersecurity threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. At this time, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. That said, as discussed more fully under "Item 1A. Risk Factors," the sophistication of cyber threats continues to increase, and we cannot assure that our systems and processes will be successful, that we will be able to anticipate or detect all cyberattacks or other breaches, that we will be able to react to cyberattacks or other breaches in a timely manner or that our remediation efforts will be successful. Governance Role of Management The Group Chief Information Security Officer ("Global CISO") oversees the Group's cybersecurity program, providing strategic direction and coordination across the Group and its divisions. This includes oversight of security operations, client data protection, cyber risk management and risk reduction initiatives, risk assurance activities, and incident response and reporting across the Group. Our Global CISO has over 20 years of extensive experience in cyber security domains and in senior leadership roles in the financial, media and government sectors. Our Global CISO reports to our Chief Information Officer ("CIO") and is supported by divisional information security teams, including over 250 cybersecurity specialists, responsible for identifying, assessing and managing cybersecurity risks within their respective businesses in accordance with Group policies and standards. Material cybersecurity incidents and risks are escalated through defined reporting protocols to the Global CISO and CIO in accordance with the Group's governance processes. To provide transparency and track the continuous management of cybersecurity risks across the Group, a council of divisional directors of information security, chaired by our Global CISO, meets regularly and forms the membership of the Global Cyber Council ("GCC"). The GCC meets regularly to review the Group's cybersecurity risk profile, threat landscape, key risk indicators, significant incidents and remediation activities, and to set collective priorities for all brands. Role of the Board The Board oversees cyber security risk as part of its overall risk management framework, with specific oversight provided by Risk and Sustainability Committee. The Risk and Sustainability Committee is responsible for the review and oversight of issues related to the key technology risks facing the Company, including, but not limited to, the Company's programs, policies, practices and safeguards for information technology, data privacy and protection, cybersecurity and fraud, identification, assessment, monitoring, mitigation and the overall management of those risks, and the Company's cyberattack incident response and recovery plan. The Risk and Sustainability Committee receives regular updates from the Global CISO and CIO on, among other things, our divisional and Group-wide cyber risks, divisional progress on cyber initiatives, external insights, incident updates and post incident reviews, our cyber strategy and our views of the emerging threat landscape. In addition, the Board receives regular updates via the Chair of the Risk and Sustainability Committee and various management committees, including Group internal audit, Group Risk and Group internal controls, and annual updates from the Global CISO and CIO on the state of cybersecurity across the Group. We have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board.

Company Information