MARRIOTT INTERNATIONAL INC /MD/ 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

MARRIOTT INTERNATIONAL INC /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 12:50:25 EST.

Filings

10-K filed on 2025-02-11

MARRIOTT INTERNATIONAL INC /MD/ filed a 10-K at 2025-02-11 12:50:25 EST
Accession Number: 0001628280-25-004818

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We manage risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, through our overall enterprise risk management process, which is overseen by our Board. Management has created a global information security program, which encompasses a dedicated global information security team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. Marriott’s policies, procedures, and processes generally follow recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization, as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of the data that is created, collected, stored, and used to operate our business. We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, vulnerability scans, penetration tests, and engagement of third parties to conduct analyses of our information security program. We obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. We also maintain a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with key third-party service providers, hotel owners, and other companies with whom we do business. With respect to incident response, we maintain a Global Information Security & Privacy Incident Response Plan (“IRP”), which applies to information security incidents involving properties owned, leased, or managed by Marriott, as well as our above-property business locations. Our IRP sets out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the NIST framework and focuses on four phases: (i) preparation; (ii) detection and analysis; (iii) containment, eradication, and recovery; and (iv) post-incident remediation. For properties that are not owned, leased, or managed by Marriott, the franchisees, licensees, or other applicable counterparties are generally responsible for information security at such properties and the systems and business processes related to information security that are under their direction and control. Franchisees and licensees are typically required to comply with Marriott brand standards relating to information security, which include an obligation to report relevant information security incidents to us. In the 2024 fourth quarter, we reached final resolutions with the FTC and the AG Offices in relation to the Data Security Incident. The resolutions with the FTC and the AG Offices include various ongoing requirements relating to our data privacy and information security programs. We do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our overall business strategy, results of operations, or financial condition over the long term. However, there can be no assurance that we, our hotel owners, our third-party service providers, or other companies with whom we do business, will not experience a cybersecurity threat or incident in the future that could materially adversely affect our business strategy, results of operations, or financial condition. See the discussion about the Starwood Data Security Incident under the “Litigation, Claims, and Government Investigations” caption in Note 7 to our financial statements, the discussion of the same in Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” and the discussion of cybersecurity risk in Part I, Item 1A, “Risk Factors.” Governance Our Board has established a Technology and Information Security Oversight Committee (“TISOC”) to assist the Board in providing oversight of matters pertaining to technology, information security, and privacy, including risks from cybersecurity threats; management’s efforts to monitor and mitigate those risks; and significant cybersecurity incidents. The TISOC meets at least four times per year and typically receives reports from our Chief Information Security Officer (“CISO”) and other members of management about these matters. The Board’s Audit Committee receives reports regarding information security and technology-related audits conducted by our internal audit department. Risks from cybersecurity threats are also discussed with the full Board as part of regular legal updates and management presentations, the Board’s oversight of enterprise risk management, and periodic education sessions. To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee , as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security and data privacy programs; oversee the implementation of our information security and data privacy risk management strategy; and identify, consider, and escalate information security and data privacy issues that may arise in our business. Our global information security team led by our CISO works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally. Our CISO and other members of senior management responsible for our information security program have extensive experience assessing and managing risks from cybersecurity threats, including decades of experience in information technology and information security positions; serving in information technology leadership positions at other large public companies; and having other significant experience in the areas of risk management, information technology, and information security. Our CISO has more than 27 years of experience in information technology and/or information security, including more than 13 years in such positions in the hospitality industry.

Company Information