DiamondRock Hospitality Co 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

DiamondRock Hospitality Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 11:07:53 EST.

Filings

10-K filed on 2026-02-27

DiamondRock Hospitality Co filed a 10-K at 2026-02-27 11:07:53 EST
Accession Number: 0001298946-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We and our hotel managers rely on information technology in our operations, and any material failures, inadequacies, interruptions, security failures, social engineering attacks or cyber-attacks could harm our business. To help manage these risks, we engage and rely on external experts, internal auditors, and third-party assessors, including an information technology managed services provider (the "MSP") and a managed security services provider (the "MSSP"). Due to our REIT structure, the cybersecurity program, processes and strategy described in this section are primarily limited to the corporate systems, information and service providers belonging to or supporting the REIT. In 2025, we strengthened our technology and cybersecurity governance by adding a senior technology and security professional to our IT leadership team. This role is responsible for strengthening internal ownership of our technology and cybersecurity governance and providing oversight over both our MSP and MSSP. This individual brings extensive experience in cybersecurity and information security services, including security operations, threat detection and response, vulnerability management, incident response, and compliance oversight aligned with recognized frameworks such as the National Institute of Standards and Technology Cybersecurity Framework. Our current view of cybersecurity risk is informed by third-party risk assessments and ongoing monitoring and testing activities designed to identify and evaluate cybersecurity vulnerabilities and emerging threats, including periodic vulnerability scans, penetration testing and reviews of key service provider assurance reports and security documentation, where appropriate. Our MSP and MSSP also conduct periodic assessments of certain applications to determine, in part, any necessary security improvements. Our senior management reviews information provided by third-party assessors and our MSP and MSSP to determine the appropriate treatment of identified risks. Cybersecurity risks are assessed within our broader enterprise risk management processes and are reported through established governance and escalation channels. We maintain information technology policies and procedures, including incident response and disaster recovery plans, and we periodically evaluate these procedures, including through tabletop exercises. Because our hotels are operated by third parties, our cybersecurity program is primarily designed around the Company's corporate technology environment and the vendors and service providers that support our corporate functions. We do not manage hotel operations, and the day-to-day operation of our properties, including many of the technology systems used at the hotels, is performed by independent hotel managers and, where applicable, franchisors. Those operators and brands utilize their own systems and service providers to support hotel activity. Given this structure, our control over those hotel-operator and franchisor systems is limited. We rely on the cybersecurity programs and controls implemented by those third parties to address cyber-related risks in hotel operations. While we maintain governance and oversight of our corporate systems through our MSP and MSSP relationships, we look to our hotel managers and franchisors to manage cybersecurity within their environments. To better understand and assess our exposure, we periodically gather information from our hotel managers regarding their cybersecurity programs and practices and follow up, as appropriate, on identified areas of risk. In addition, our hotel managers -30- Table of Contents and franchisors often maintain their own cyber insurance coverage, and we also maintain cyber insurance intended to provide supplemental protection. We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our data and systems. As of and for the three years ended December 31, 2025, we have not had any known instances of material cybersecurity incidents, including third-party incidents, and have not experienced a cyber-related incident that has materially affected our business, results of operations or financial condition. For more information about the cybersecurity risks we face, see Item 1A "Risk Factors." Governance Related to Cybersecurity Risks DiamondRock engages a MSP and MSSP to assist us with the identification, monitoring, and management of cybersecurity risks. Management, including our Chief Accounting Officer, Chief Financial Officer & Treasurer and General Counsel & Chief Risk Officer (collectively, the "Senior Risk Management Team"), oversees cybersecurity risk management activities and receives updates from internal technology leadership and our MSP and MSSP. The Senior Risk Management Team then briefs the Board on information regarding security matters at least quarterly. Additionally, we provide cybersecurity training for all Board members and our employees. As part of its charter, the Audit Committee oversees our policies with respect to risk assessment and risk management, including with respect to cybersecurity risks. The Audit Committee administers its risk oversight function by receiving regular reports from members of the Senior Risk Management Team, on areas of material risk to the Company. Our Audit Committee discusses DiamondRock's cybersecurity program at least annually, and receives quarterly updates from internal audit or management on cybersecurity incidents or other developments. Our Audit Committee reports on these matters to our Board of Directors as needed. Our Board of Directors plays an important role in the risk oversight of the Company. Our Board is involved in risk oversight through its direct decision-making authority with respect to significant matters and the oversight of management by the Board's committees. Our Board also relies on management to bring significant matters impacting DiamondRock to its attention. -31- Table of Contents

Company Information