Churchill Downs Inc 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 20, 2025

Churchill Downs Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 17:46:35 EST.

Filings

10-K filed on 2025-02-19

Churchill Downs Inc filed a 10-K at 2025-02-19 17:46:35 EST
Accession Number: 0000020212-25-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a comprehensive process for detecting, assessing, and managing material risks from cybersecurity threats as part of our overall enterprise risk management system and processes. Our Chief Technology Officer (“CTO”) oversees our Chief Information Security Officer and a dedicated team of information security professionals who are responsible for our cybersecurity risk management program. Our CTO oversees our information security professionals’ efforts to prevent, detect, mitigate, and remediate cybersecurity and other emerging technology risks and incidents and the efforts for assessing and managing our material risks from cybersecurity threats. Our cybersecurity and risk management program includes technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools, and related services from third-party providers. Our CTO has over twenty years of extensive experience in information technology and security. We use the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not mean that we meet any particular technical standards, specifications, or requirements of the NIST CSF. We routinely engage consultants and other third parties to assist with our cybersecurity risk management, including third-party penetration tests of our various information technology environments. As part of our current due diligence review and contracting process with third-party vendors that may have access to our data or systems, we perform an information security review of the vendor’s program and require such contracts to include certain minimum-security safeguards and notification requirements, where applicable. We also carry cybersecurity insurance with coverage for costs associated with a cybersecurity incident. We have an established incident response plan to address and guide our employees and management on our response to a cybersecurity incident. The Company has two management committees that assist with cybersecurity incidents and risk management. These committees consist of senior leadership and cross-functional members from across our organization. The Consumer Data Privacy Committee assists with identifying and managing consumer data privacy issues. The Cybersecurity Disclosure Committee (“CD Committee”) assists senior management in fulfilling their responsibilities for oversight of the accuracy and timeliness of disclosures made by the Company in response to cybersecurity incidents and vulnerabilities. In the 26 event a potentially significant cybersecurity incident is identified by our information security team, such incident is reported to the CD Committee to consider applicable disclosures, with the assistance of outside counsel as needed. In addition, senior leadership prepares an enterprise risk management report identifying and evaluating enterprise risks, including cybersecurity risks, which is regularly presented to the Audit Committee. Our executive leadership team, along with oversight from the Audit Committee of the Board of Directors , are responsible for our overall enterprise risk management system and processes and regularly consider cybersecurity risks in the context of other material risks to the Company. The Audit Committee oversees the processes by which management assesses the Company’s exposure to cybersecurity risks and evaluates the guidelines and policies governing the Company’s monitoring, control, and minimization of such risks. Our CTO regularly reports to the Audit Committee regarding cybersecurity matters. As of the date of this report, the Company is not aware of any cybersecurity risks that have, or are reasonably likely to, materially affect us, our business strategy, results of operation, or financial condition. Although we have invested in information security and monitor our systems on an ongoing basis, there can be no guarantee that such efforts will in the future prevent compromises to our information technology systems that could have a material adverse effect on our business. For additional information concerning cybersecurity risks we face, refer to Part I, Item 1A, Risk Factors.

Company Information