CARNIVAL PLC 10-K Cybersecurity GRC - 2025-01-27

Page last updated on January 27, 2025

CARNIVAL PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-27 06:11:17 EST.

Filings

10-K filed on 2025-01-27

CARNIVAL PLC filed a 10-K at 2025-01-27 06:11:17 EST
Accession Number: 0000815097-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . With an increasingly technology-driven business landscape, cybersecurity is critical to safeguarding our company’s shipboard and shoreside assets and maintaining our operational integrity. We have implemented cybersecurity measures that are designed to protect the confidentiality, integrity and availability of our information technology and operational technology systems against the constantly evolving cyber threats. Risk Management Our processes to identify and manage cybersecurity risks form part of our overall risk management framework which includes an organization wide, multi-layered approach to risk assessment and management. Our cybersecurity risk management program is designed to proactively identify, assess and mitigate potential cybersecurity threats. It leverages industry-leading cybersecurity frameworks and standards, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and the ISO/IEC 27001 standard. We conduct regular risk assessments to evaluate the security posture of our systems and processes, including vulnerability assessments, penetration testing, external attack surface mitigations and monitor our network for suspicious activity and potential breaches. We engage third-party advisory firms to conduct assessments of the maturity of our cybersecurity program, including measures to improve our Payment Card Industry Data Security Standard (“PCI DSS”) compliance, as well as to conduct penetration testing of our shoreside and shipboard assets on a periodic basis. We continue to invest in our information technology, operational technology and cybersecurity programs to layer in the right mix of risk-based controls to protect against evolving threats. We maintain an incident response plan and related policies and protocols which outline procedures for identifying, reporting and responding to cybersecurity incidents. Our incident response plan is regularly updated to address new threats and tested through crisis simulation exercises involving our shipboard and shoreside employees. We also have an incident response team who is trained to handle a wide range of security events and collaborates with external cybersecurity experts when necessary. 31 We have data privacy and security standards across the company that are designed to comply with relevant regulations, including the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”) and PCI DSS. We employ encryption, access controls, and other data anonymization techniques to safeguard data throughout its lifecycle. We also have data privacy and cybersecurity focused training for our shoreside and select shipboard team members. We regularly educate our shoreside and shipboard team members about the importance of handling and protecting guest and team member data, including phishing simulation exercises and annual privacy and security training to enhance awareness of how to detect and respond to cybersecurity threats. Our cybersecurity diligence extends to third-party vendors and partners. We have operationalized processes that seek to identify and manage cybersecurity risks from our service providers, including those who have access to our guest or team member data or direct access to our network, systems and applications, with the goal of minimizing our exposure to third party risks. In addition, cybersecurity and data privacy considerations factor greatly in the sourcing, selection and oversight of our third-party service providers. We generally require third-party service providers that access or host our data, systems, or applications or could otherwise introduce cybersecurity risk to us, to complete additional risk assessments, comply with our security and privacy requirements, and agree to the timely reporting of cyber security incidents to us. As of November 30, 2024, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or financial condition. Despite our efforts with respect to protecting information technology operations and strengthening our cybersecurity and data privacy positions, we have been, and may continue to be, impacted by breaches in data security and lapses in data privacy, which occur from time to time. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses incurred in connection with cybersecurity incidents were not material. For additional information on the risks from cybersecurity threats and the potential related impacts on the company, refer to Operational Risk Factor f. Governance Our Chief Information Security Officer (“CISO”) leads our worldwide efforts in cybersecurity risk reduction and regulatory compliance. Our CISO oversees risk management across information technology operations, cybersecurity and data privacy. With over 20 years of experience across various industries, including Fortune 50 and 100 organizations, our CISO brings a comprehensive background in strategic cybersecurity leadership and risk management. This expertise is further supported by an array of certifications (C-CISO, CISSP, CISM, CRISC, CISA, and CIPT), as well as academic credentials, including a Master’s in Information Systems from Harvard University and a Bachelor’s in Business Administration from Florida International University. Our CISO regularly updates executive management and actively engages within the cybersecurity community to stay informed on the latest industry developments. Our CISO chairs our Cybersecurity Advisory Council (“CAC”), a cross-functional management committee that drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management. The CAC is sponsored by our Chief Financial Officer and is composed of senior leaders from our brand information security, data privacy, legal, internal audit and information technology teams. The CAC meets at least quarterly and has responsibility for oversight of our cybersecurity strategic direction, risks and threats, priorities, resource allocation, capabilities and planning. The CISO and her team are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with our cyber incident response plan. Additionally, the CISO informs our Disclosure Committee on a quarterly basis, or more frequently if needed, of any cybersecurity risks or incidents or other information system matters that may affect our business strategy, results of operations or financial condition. Our Chief Privacy Officer and Data Protection Officers oversee our focus on the proper processing of personal information in alignment with our privacy policy and applicable privacy laws and regulations. The Audit Committees are responsible for oversight of our risk management with respect to information technology operations and cybersecurity while the Compliance Committees oversee risk management in the area of data privacy and the HESS Committees oversee risk management related to our maritime operational technologies. The Audit Committees receive updates from the CISO on our information technology operations, including cybersecurity developments and risks, three times a year, and our Board of Directors receive updates from the CISO on an annual basis. 32

Company Information