Page last updated on February 26, 2026
PENN Entertainment, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:16:46 EST.
Filings
10-K filed on 2026-02-26
PENN Entertainment, Inc. filed a 10-K at 2026-02-26 16:16:46 EST
Accession Number: 0000921738-26-000008
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity of this Annual Report on Form 10-K for additional detail regarding the programs, policies, and procedures we have in place to identify, prevent and detect any breaches, viruses, or other forms of unauthorized access. The steps we take to deter and mitigate the risks of attacks may not be successful, and any resulting compromise or loss of data or systems could adversely impact operations or regulatory compliance and could result in remedial expenses, fines, litigation, disclosures, and loss of reputation, potentially impacting our financial results. Further, as cyber-attacks continue to evolve, we may incur significant costs in our attempts to modify or enhance our protective measures or investigate or remediate any actual or perceived vulnerability. Increased instances of cyber-attacks may also have a negative reputational impact on us and our properties that may result in a loss of customer confidence and, as a result, may have a material adverse effect on our business, financial condition, and results of operations. Moreover, the rapid evolution and increased use of artificial intelligence technologies amplify these cybersecurity risks. We have experienced attempts by unauthorized third parties to damage, exploit, disrupt or gain access to our networks, our products and services, consumer information, and our supporting infrastructure, including accessing user accounts by illicitly purchasing identification and password credentials on the dark web. While to date none of these incidents has had a material impact on us, we expect to continue to be targeted in the future. Any failure to prevent or mitigate security breaches or cyber risk could result in interruptions to the services we provide, degrade the user experience, and cause our users to lose confidence in our products and services. The unauthorized access, acquisition or disclosure of consumer information could compel us to comply with disparate breach notification laws and otherwise subject us to proceedings by governmental entities, including gaming regulatory authorities, or others, and substantial legal and financial liability. This could harm our business and reputation, disrupt our relationships with partners and diminish our competitive position. We have begun using artificial intelligence, machine learning, data science and similar technologies in our business, and challenges with properly managing such technologies could result in reputational harm, competitive harm, and legal liability, and adversely affect our results of operations. We have begun using artificial intelligence (including generative artificial intelligence), machine learning, data science and similar technologies (collectively, "artificial intelligence") in our technology and infrastructure, which may become more prominent in and important to our operations over time. Our competitors or other third parties may incorporate artificial intelligence in a similar or different manner and may do so more rapidly or more successfully than us, which could adversely affect our ability to compete effectively and our results of operations. Additionally, if the content, analyses, materials, software or recommendations that artificial intelligence produces or assists in producing are, or are alleged to be, infringing or otherwise violating of others' rights (including intellectual property rights), or illegal, we may be subject to legal liability or our business, reputation, financial condition and results of operations may otherwise be adversely affected. The use of artificial intelligence can lead to unintended consequences, including the generation of outputs, such as "hallucinations," that appear correct but are factually inaccurate, misleading or are otherwise flawed, which could harm our reputation and business. The content, analysis, materials, software, recommendations and other outputs produced by artificial intelligence may be subject to limited or no intellectual property or other proprietary protection. We may lose intellectual property and other proprietary rights in any data, content, confidential information, trade secrets or other materials that we provide as inputs to artificial intelligence technology. If we are unable to assert proprietary rights in such outputs or inputs against use by third parties, we may experience competitive harm, and our financial condition and results of operations may be adversely affected. In addition, the use of artificial intelligence may result in violations of applicable data security or data privacy laws, or in cybersecurity incidents that implicate the personal data of end customers, employees or other third parties, as well as potential gaming regulatory violations. Any such violation or cybersecurity incidents related to our use of artificial intelligence could result in legal liability or otherwise adversely affect our reputation and results of operations. If our use of artificial intelligence becomes controversial, we may experience brand or reputational harm or competitive harm. Also, artificial intelligence is subject to a dynamic and rapidly evolving legal and regulatory environment, the extent and scope of which may in many instances be uncertain and may vary (or conflict) across jurisdictions. Compliance with existing and potential government regulation of artificial intelligence may require significant resources, including to develop, test and maintain platforms, offerings, services, and features to help us implement and use artificial intelligence in accordance with applicable law, and to help minimize other potential adverse effects on our results of operations. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Cybersecurity represents a critical component of the Company's overall approach to risk management. The Company's cybersecurity policies, standards, and practices are integrated into the Company's enterprise risk management ("ERM") approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by the Board. The Company's cybersecurity policies, standards, and practices are intended to align with recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the specific goals of: (i) identifying, preventing, and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, integrity, security, and availability of the information that we collect and store to use in our business; (iii) protecting the Company's intellectual property; (iv) maintaining the confidence of our customers, clients, and business partners; and (v) providing appropriate public disclosure of cybersecurity risks, and incidents when required. Risk Management and Strategy Consistent with overall ERM policies and practices, the Company's cybersecurity program focuses on the following areas: - Vigilance: The Company maintains a global presence, with cybersecurity threat operations functioning 24/7 with the specific goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans. - Systems Safeguards: The Company deploys systems safeguards that are designed to protect the Company's information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti- malware functionality and access controls, which are evaluated and improved through regular vulnerability assessments and cybersecurity threat intelligence. - Collaboration: The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management : The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company's systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. - Training: The Company provides training for personnel regarding cybersecurity threats, which is designed to reinforce the Company's information security policies, standards, and practices. This training includes certain periodic and mandatory training for Company personnel regarding cybersecurity threats as well as the handling and processing of payment cards. All periodic and mandatory training is scaled to reflect the roles, responsibilities and information systems access of applicable personnel. - Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that address the Company's response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated on a regular basis. - Communication, Coordination and Disclosure: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the Company's technology, operations, legal, accounting, risk management, internal audit, and other key business functions, as well as the members of the Board and the Audit Committee of the Board in a dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds designed to help ensure that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. - Governance: The Board's oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company's ERM function, the Company's Chief Technology Officer, other members of management, and relevant management committees and councils, including the Company's Cyber Security Committee. A key part of the Company's strategy for managing risks from cybersecurity threats is the assessment and testing of the Company's processes and practices through auditing, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The Company engages third parties to perform assessments of our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Company's Cyber Security Committee, and when appropriate, the Audit Committee and the Board. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by the assessments, audits, and reviews. Governance The Company's Cyber Security Committee , in coordination with the Board and Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes, and practices that the Company's Chief Technology Officer and its Chief Information Security Officer, in coordination with the Company's Cyber Security Committee, develop and implement to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company's peers and third parties. The Board and the Audit Committee are also informed of identified cybersecurity incidents that meet established reporting thresholds, as well as ongoing updates regarding each such incident until it has been addressed. The Board discusses the Company's approach to cybersecurity risk management with the Company's Chief Technology Officer, and, as necessary, the Company's Chief Technology Officer meets with the Audit Committee to discuss cybersecurity risk management. The Company's Chief Technology Officer and its Chief Information Security Officer are members of the Company's management that are principally responsible for overseeing the Company's cybersecurity risk management program, in partnership with other business leaders across the Company. The Company's Chief Technology Officer serves as Chair of the Company's Cyber Security Committee and works in coordination with the other members of the Cyber Security Committee, which includes our Chief Technology Officer; Chief Information Security Officer; EVP, Chief Financial Officer; Chief Compliance Officer; Chief Accounting Officer; Chief Legal Officer; SVP of Operations; Deputy Chief Compliance Officer; SVP, Public Affairs; VP, Risk Management; VP, Internal Audit; and VP, Legal - Intellectual Property and Privacy, who also serves as the Company's Privacy Compliance Officer and Data Protection Officer. The Company's Chief Technology Officer, Aaron LaBerge, has served in various roles in information technology for over 25 years, including more than 20 years at The Walt Disney Company. Mr. LaBerge most recently served as President & Chief Technology Officer for Disney Entertainment and ESPN, where he was responsible for driving all technology and product development in support of the Walt Disney Company's two media divisions and oversaw all cybersecurity functions, and prior to that he served as Executive Vice President and Chief Technology Officer for ESPN where he was also responsible for cybersecurity matters. Mr. LaBerge holds a B.A. in electrical and computer engineering from the University of South Carolina. The Company's Chief Information Security Officer, David Lingenfelter, has served in various roles in information technology and information security for over 25 years, including Security Risk Assessor, Security Policy Development, and Security Architect, as well as serving as Vice President of Information Security and Product Security Officer for large public companies. Mr. Lingenfelter has also contributed to the development and review of various security-related publications including the National Institute of Standards and Technology, the International Organization for Standardization, and the Cloud Security Alliance, has served in numerous roles on various cybersecurity-related advisory boards, and holds a B.S. in Electrical Engineering from Fairleigh Dickinson University. The Company's Chief Technology Officer and Chief Information Security Officer, in coordination with the Company's Cyber Security Committee, work collaboratively across the Company to implement a program designed to protect the Company's information systems from cybersecurity threats and designed to allow the Company to promptly respond to any cybersecurity incidents in accordance with the Company's Security Incident Response Plan. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company's incident response and recovery plans. Through the ongoing communications from these teams, the Chief Technology Officer, the Chief Information Security Officer, and the Company's Cyber Security Committee monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate. To date, we do not believe cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition; however, we could experience a cybersecurity incident that materially affects us in the future. See Item 1A. Risk Factors, "Risks Related to our Information Systems and Technology" for additional discussion of cybersecurity risks to our business.
ITEM 1C. CYBERSECURITY Cybersecurity represents a critical component of the Company's overall approach to risk management. The Company's cybersecurity policies, standards, and practices are integrated into the Company's enterprise risk management ("ERM") approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by the Board. The Company's cybersecurity policies, standards, and practices are intended to align with recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization, and other applicable industry standards. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the specific goals of: (i) identifying, preventing, and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, integrity, security, and availability of the information that we collect and store to use in our business; (iii) protecting the Company's intellectual property; (iv) maintaining the confidence of our customers, clients, and business partners; and (v) providing appropriate public disclosure of cybersecurity risks, and incidents when required. Risk Management and Strategy Consistent with overall ERM policies and practices, the Company's cybersecurity program focuses on the following areas: - Vigilance: The Company maintains a global presence, with cybersecurity threat operations functioning 24/7 with the specific goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans. - Systems Safeguards: The Company deploys systems safeguards that are designed to protect the Company's information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti- malware functionality and access controls, which are evaluated and improved through regular vulnerability assessments and cybersecurity threat intelligence. - Collaboration: The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management : The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company's systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. - Training: The Company provides training for personnel regarding cybersecurity threats, which is designed to reinforce the Company's information security policies, standards, and practices. This training includes certain periodic and mandatory training for Company personnel regarding cybersecurity threats as well as the handling and processing of payment cards. All periodic and mandatory training is scaled to reflect the roles, responsibilities and information systems access of applicable personnel. - Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that address the Company's response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated on a regular basis. - Communication, Coordination and Disclosure: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the Company's technology, operations, legal, accounting, risk management, internal audit, and other key business functions, as well as the members of the Board and the Audit Committee of the Board in a dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds designed to help ensure that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. - Governance: The Board's oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company's ERM function, the Company's Chief Technology Officer, other members of management, and relevant management committees and councils, including the Company's Cyber Security Committee. A key part of the Company's strategy for managing risks from cybersecurity threats is the assessment and testing of the Company's processes and practices through auditing, assessments, tabletop exercises, threat modeling, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The Company engages third parties to perform assessments of our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Company's Cyber Security Committee, and when appropriate, the Audit Committee and the Board. The Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by the assessments, audits, and reviews. Governance The Company's Cyber Security Committee , in coordination with the Board and Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes, and practices that the Company's Chief Technology Officer and its Chief Information Security Officer, in coordination with the Company's Cyber Security Committee, develop and implement to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company's peers and third parties. The Board and the Audit Committee are also informed of identified cybersecurity incidents that meet established reporting thresholds, as well as ongoing updates regarding each such incident until it has been addressed. The Board discusses the Company's approach to cybersecurity risk management with the Company's Chief Technology Officer, and, as necessary, the Company's Chief Technology Officer meets with the Audit Committee to discuss cybersecurity risk management. The Company's Chief Technology Officer and its Chief Information Security Officer are members of the Company's management that are principally responsible for overseeing the Company's cybersecurity risk management program, in partnership with other business leaders across the Company. The Company's Chief Technology Officer serves as Chair of the Company's Cyber Security Committee and works in coordination with the other members of the Cyber Security Committee, which includes our Chief Technology Officer; Chief Information Security Officer; EVP, Chief Financial Officer; Chief Compliance Officer; Chief Accounting Officer; Chief Legal Officer; SVP of Operations; Deputy Chief Compliance Officer; SVP, Public Affairs; VP, Risk Management; VP, Internal Audit; and VP, Legal - Intellectual Property and Privacy, who also serves as the Company's Privacy Compliance Officer and Data Protection Officer. The Company's Chief Technology Officer, Aaron LaBerge, has served in various roles in information technology for over 25 years, including more than 20 years at The Walt Disney Company. Mr. LaBerge most recently served as President & Chief Technology Officer for Disney Entertainment and ESPN, where he was responsible for driving all technology and product development in support of the Walt Disney Company's two media divisions and oversaw all cybersecurity functions, and prior to that he served as Executive Vice President and Chief Technology Officer for ESPN where he was also responsible for cybersecurity matters. Mr. LaBerge holds a B.A. in electrical and computer engineering from the University of South Carolina. The Company's Chief Information Security Officer, David Lingenfelter, has served in various roles in information technology and information security for over 25 years, including Security Risk Assessor, Security Policy Development, and Security Architect, as well as serving as Vice President of Information Security and Product Security Officer for large public companies. Mr. Lingenfelter has also contributed to the development and review of various security-related publications including the National Institute of Standards and Technology, the International Organization for Standardization, and the Cloud Security Alliance, has served in numerous roles on various cybersecurity-related advisory boards, and holds a B.S. in Electrical Engineering from Fairleigh Dickinson University. The Company's Chief Technology Officer and Chief Information Security Officer, in coordination with the Company's Cyber Security Committee, work collaboratively across the Company to implement a program designed to protect the Company's information systems from cybersecurity threats and designed to allow the Company to promptly respond to any cybersecurity incidents in accordance with the Company's Security Incident Response Plan. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company's incident response and recovery plans. Through the ongoing communications from these teams, the Chief Technology Officer, the Chief Information Security Officer, and the Company's Cyber Security Committee monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate. To date, we do not believe cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition; however, we could experience a cybersecurity incident that materially affects us in the future. See Item 1A. Risk Factors, "Risks Related to our Information Systems and Technology" for additional discussion of cybersecurity risks to our business.
Company Information
| Name | PENN Entertainment, Inc. |
| CIK | 0000921738 |
| SIC Description | Hotels & Motels |
| Ticker | PENN - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 31 |