Booking Holdings Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Booking Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 17:12:27 EST.

Filings

10-K filed on 2025-02-20

Booking Holdings Inc. filed a 10-K at 2025-02-20 17:12:27 EST
Accession Number: 0001075531-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are dedicated to managing cybersecurity, privacy, and data protection and security risks. We employ various tools, processes, technologies, and controls to identify and manage such risks. Identifying, assessing, and managing cybersecurity risk is generally integrated into our overall risk management processes. The Company’s internal audit function, with primary oversight by the Audit Committee, assesses key risks facing the organization, which are reviewed and discussed by the Company’s management-level risk committee (a multi-disciplinary committee including representation from senior management in the finance, internal audit, and legal functions, among others). The risk committee is tasked with ensuring risks, including those related to cybersecurity, are managed and aligning strategic objectives with an appropriate level of risk tolerance. The Cyber Risk Management Policy (the “Policy”) establishes the framework for our cybersecurity risk management and governance. Our security teams operationalize the Policy across the Company and conduct cyber risk identification, assessment, management, and reporting. Our privacy teams are responsible for identifying, assessing, managing, and reporting on data protection risks. We leverage the National Institute of Standards and Technology (NIST) frameworks for cybersecurity and privacy. We annually measure our security and privacy program maturity against the NIST frameworks, and engage a third-party every other year to assess the current state against these frameworks. The results of these assessments are discussed with the Board and the Cybersecurity Subcommittee of the Audit Committee. As part of the Company’s risk management strategy, we require that all employees complete regular data security and privacy trainings, and conduct phishing tests and specialized training such as secure coding training for our developers. Our security teams have established procedures for identifying, assessing, and managing, cybersecurity incidents. A cross-functional working group of security, privacy, and legal personnel review potentially significant incidents. If an incident could be deemed material, it is escalated, and we consult with outside counsel as appropriate. Our internal audit function performs its own cybersecurity and privacy audits and reviews certain related practices as part of their assessment of our internal control over financial reporting. From time to time we have taken steps to improve our practices and remedy deficiencies that have been identified. Our enterprise-wide information security program is also independently assessed every other year by a third party as part of our enterprise risk management, and the Cybersecurity Subcommittee reviews the findings. We rely on certain third-party computer systems and third-party service providers, including global distribution systems (“GDSs”) and computerized central travel reservation systems in connection with providing some of our services. We also depend upon various third parties to process payments for certain transactions. These third-party business partners, service providers, and consultants need to access our customer and other data, and connect to our computer networks. We define confidentiality, security, and privacy requirements through our contracting processes and perform third-party cyber risk assessments to monitor such third parties as needed. Although we expend significant resources to protect against security breaches, our existing security measures have not been and may not be successful in preventing all attacks. We have experienced cybersecurity incidents and threats, including malware, phishing, account takeover attacks, denial-of-service attacks, and inadvertent disclosures of data. We do not believe these cybersecurity incidents have had a material adverse effect on our Company, including our business strategy, results of operations, or financial condition. However, the cybersecurity threat environment is increasingly challenging, and we, along with the entire digital ecosystem, face a constant and increasing threat. For further discussion, see Part I, Item 1A, Risk Factors - “Information Security, Cybersecurity, and Data Privacy Risks.” Governance The Board and Audit Committee are responsible for oversight related to cybersecurity, privacy, and data protection and security. The Cybersecurity Subcommittee of the Audit Committee oversees management’s efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area. The cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the Company’s cybersecurity and data protection risk exposures, including steps management has taken to assess and manage such exposures and their potential impact on the Company’s business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and the Board. The individuals serving in the roles of chief security officer and chief privacy officer have enterprise-wide responsibility for assessing and managing cybersecurity, data protection and security, and privacy risks, respectively. These leaders collectively have over 25 years of relevant work experience in public companies and extensive industry expertise. 23

Company Information