VAIL RESORTS INC 10-K Cybersecurity GRC - 2024-09-26

Page last updated on September 26, 2024

VAIL RESORTS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-26 16:09:43 EDT.

Filings

10-K filed on 2024-09-26

VAIL RESORTS INC filed a 10-K at 2024-09-26 16:09:43 EDT
Accession Number: 0000812011-24-000091

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy Cybersecurity is a dynamic and constantly evolving field. We are committed to continuously improving our cybersecurity posture by staying informed about emerging threats, adopting industry best practices, and integrating feedback from our assessments and incidents. Our goal is to maintain a resilient cybersecurity framework that protects our assets and supports our long-term business objectives. We manage risks from cybersecurity threats through our overall enterprise risk management process, which is overseen by our Board. Our cybersecurity risks are considered individually as part of our enterprise risk management process alongside other risks, and priorities and discussed with our Board. Management has created an information security program, which is comprised of a dedicated information security team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. Our policies, procedures, and processes follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization, as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of data created, collected, stored, and used to operate our business. 37 We identify, assess, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises, control gap analyses, threat modeling, impact analyses, internal audits, external audits, vulnerability scans, penetration tests, and engagement of third parties to conduct analyses of our information security program. We obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. We also maintain a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with third party service providers and other companies with whom we do business. As part of our cybersecurity program, team members receive cybersecurity training and participate in awareness programs including phishing simulation exercises and reminders, and programming and events during Cybersecurity Awareness Month. We also carry cyber security insurance, which is renewed annually and covers cyber events and business interruption. We closely monitor costs of breaches within the industry in an effort to ensure that our coverage is sufficient to address all reasonably foreseeable threats and levels of risk. We maintain an Incident Response Plan (“IRP”), which applies to information security incidents. Our IRP sets out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, as well as the communication protocol of such incidents to senior management and other key stakeholders pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. In general, our incident response process follows the NIST framework and focuses on four phases: (i) preparation; (ii) detection and analysis; (iii) containment, eradication, and recovery; and (iv) post-incident remediation. Board oversight of cybersecurity risk management is supported by the Audit Committee, which regularly reviews internal reports from management with respect to information technology and cybersecurity issues, and interacts with our enterprise risk management function and our Chief Information Officer (“CIO”) regarding major cybersecurity risk areas and recommended actions to address such risks. Cybersecurity Governance Our Information Security and Compliance teams, in coordination with the Board and Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes, and practices that our CIO and our Vice President of Information Security, in coordination with our Information Technology Senior Leadership Team, develop and implement to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee are also informed of any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. At least once each quarter, the Audit Committee discusses our approach to cybersecurity risk management with our CIO, and at least annually, or more frequently as necessary, our CIO meets with the Board to discuss cybersecurity risk management. Our CIO and our Vice President of Information Security are principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across company. Our CIO serves as Chair of our Cybersecurity Incident Materiality Assessment Council and works in coordination with the other members of our Executive Committee. Our CIO has served in various roles in information technology and information security for over 27 years, including in technology leadership roles such as Chief Information Officer, Vice President Business Technology, Vice President Business Information Services, Senior Director of Mountain Technology, Director of Resort Application Development, and Director of Order Management Systems leadership roles for large public companies. Our CIO holds a B.B.A. in Management Information Systems and Accounting from University of Oklahoma. Our Vice President of Information Security has served in various roles in information technology and information security for over 27 years, including as Vice President of Information Security for large public companies. In addition, our Vice President of Information Security has previously held roles including Vice President of Information Security and Technology, Senior Director Information Technology, Director IT Security and Compliance, and Senior IT Audit Manager. Our Vice President of Information Security holds several certifications including CISSP, CISA, CISSM, and PCI-ISA. Our Vice President of Information Security holds a B.S. in Management Information Systems from Iowa State University and an MBA from Auburn University. Our CIO and Vice President of Information Security, in coordination with our Legal, Internal Audit, and Compliance teams, work collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our security IRP. To facilitate 38 the success of this program, multidisciplinary teams throughout the company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our incident response and recovery plans. Through the ongoing communications from these teams, the CIO, the Vice President of Information Security, and our Cybersecurity Incident Materiality Assessment Council monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate. The Audit Committee reviews our cybersecurity management strategy and initiatives on a regular basis and oversees the management of risks from cybersecurity threats, including the policies, processes, and practices implemented by the Company to address such risks. The Audit Committee also routinely receives reports on the cybersecurity landscape, regulatory requirements, industry standards, and emerging threats. Prompt and timely information regarding any significant cybersecurity incident as specified in our IRP, including ongoing updates as the incident unfolds and until it has been addressed, are also provided to both the Board and the Audit Committee. We do not currently believe cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations, or financial condition; however, we could experience a cybersecurity incident that materially affects us in the future.

Company Information