TripAdvisor, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

TripAdvisor, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 07:05:34 EST.

Filings

10-K filed on 2025-02-20

TripAdvisor, Inc. filed a 10-K at 2025-02-20 07:05:34 EST
Accession Number: 0000950170-25-023736

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity In an era marked by rapid technological evolution, the business landscape is increasingly data-driven. Companies, including ours, collect, store, and leverage data to glean valuable insights about our members and travel trends; deliver relevant content to our members, suppliers, and business partners and enhance operational efficiency. This collection and leverage of data exposes us to potential cybersecurity threats. Our cybersecurity program is guided by industry standards developed by the National Institute of Standards and Technology (“NIST”). As a result, we have implemented a cybersecurity risk management framework that is designed to identify, assess, and mitigate risks from cybersecurity threats to our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the data residing on those systems. While no organization can eliminate cybersecurity risk entirely, we believe our cybersecurity program is reasonably designed to mitigate our cybersecurity and information technology risks. Risk Management Oversight and Governance The Board of Directors is responsible for overseeing management’s processes for managing cybersecurity risks and has delegated this function to the Audit Committee. The Audit Committee regularly reviews and discusses with management the processes to identify, assess and manage cybersecurity threats, as well as to identify, assess and, to the extent required, disclose whether risks from cybersecurity threats have materially affected the Company or if material cybersecurity incidents have occurred . Management is responsible for the day-to-day risk management process, including the identification of risks and implementation of policies and procedures designed to manage, mitigate or monitor cyber risks. In support of these responsibilities, management has formed a Compliance Committee and designated a Chief Compliance Officer to implement, manage and oversee a corporate compliance program. The Compliance Committee is responsible for understanding the global risk landscape of the Company and for working to ensure that we have a compliance program in place designed to mitigate, manage and/or monitor risks. The Compliance Committee consists of, among others, our Chief Financial Officer (“CFO”), Chief Legal Officer (“CLO”) and Chief Compliance Officer (“CCO”). The CCO has established an Information Governance and Privacy Committee responsible for oversight of privacy and cybersecurity risks. The Information Governance and Privacy Committee consists of senior members of the Company’s Information Security Team and CCO, as well as representatives from engineering, product development and data privacy. The Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats . Our Information Security Team reports to our CCO. The CCO reports to the Compliance Committee, which includes the CFO and CLO. The CFO and CLO report directly to the Company’s Chief Executive Officer. Each of the CFO, CLO and CCO report regularly to our Board of Directors on, among other matters, our global risk landscape and risk management efforts, including those related to cybersecurity risks. Our CCO, supported by our Information Security Team, has primary responsibility for managing our cybersecurity threat management program. We maintain rigorous standards for our information security leadership positions, including requiring extensive experience in building and leading cybersecurity security teams and 31 implementing enterprise-wide cybersecurity programs. Our CCO and Information Security Team continue to execute on our established cybersecurity strategy and risk management framework. The CCO, with input from the Information Security Team, meets regularly with and provides updates on cybersecurity developments to, members of the executive management team. Our Information Security Team meets at least annually with each of the Compliance Committee and the Audit Committee to discuss cybersecurity threats and the risk management programs. The Information Security Team provides information, as appropriate, about the sources and nature of risks the Company faces and how management assesses such risks. Our CCO also provides a quarterly report to the Audit Committee on trends and observations concerning cyber threats and actions being taken to mitigate those risks. The Chair of the Audit Committee reports quarterly to the full Board of Directors and that report includes a summary of the CCO’s report. Processes for the Identification of Risks from Cybersecurity Threats The Compliance Committee, working with the Information Security Team, has developed a cybersecurity risk management program that aims to address the following key areas: - Identification of assets at risk from cybersecurity threats; - Identification of potential sources of cybersecurity threats; - Assessment of the status of protections in place to prevent or mitigate cybersecurity threats; - Approaches to mitigating and managing cybersecurity risks; and - A process for regular reporting to the Compliance Committee and Board of Directors (directly and through the Audit Committee). The Company’s risk assessment and mitigation program is centered on the following components: - Identification of significant risks (primarily through enterprise risk assessments); - An evaluation of the likelihood of such risk occurring, the potential impact and the control strength, consideration for compensating controls to mitigate the risk; - Prioritization of different risk items based on, among other things, the results of our evaluation; and - Establishment of a process for addressing those risks. Our Internal Audit team reviews, monitors and audits various aspects of the Company’s enterprise risk management program to evaluate whether risks, including cybersecurity risks, are appropriately identified and managed. Internal Audit periodically reports to the Audit Committee on the Company’s cybersecurity risk mitigation efforts. The Audit Committee Chair, in turn, reports to the full Board of Directors. Our Incident Response Plan (“IRP”) is designed to facilitate rapid incident response to any security incident affecting the Company’s business lines, locations, services, and divisions. The IRP defines the roles and responsibilities for the senior leadership team and cybersecurity experts to identify and respond to cybersecurity events and incidents while complying with legal obligations. The Incident Response Team (“IRT”) is designated by the IRP to assess each cybersecurity incident and event for impacts to the Company, customers, and third-party partners and oversee the response to and remediation of such incident. We have several employee training and development programs that are designed to, among others, raise awareness of cybersecurity risks impacting the business to encourage consideration and facilitate managing those risks. To assess the effectiveness of our program, we periodically conduct penetration testing and other vulnerability analyses. As part of the assessment of the protections we have in place to mitigate risks, we engage third parties to conduct risk assessments on our systems. We rely on certain third-party computer systems and third-party service providers in connection with providing some of our services. These third-party business partners, service providers, and consultants need to access our customer and other data, and connect to our computer networks. We define expected security and privacy requirements through our contracting processes with those third parties and we perform cyber risk assessments at the time of procurement to review the cyber risk management efforts of those third parties. These vendors are 32 contractually obligated to notify us when they experience a cybersecurity incident that can affect our operations or stakeholders. Before purchasing third-party technology or other solutions and partnerships that involve exposure to the Company’s assets and electronic information, our Information Security and Privacy team undertakes due diligence to assess any key data privacy or information security risks. To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition ; however, like other companies in our industry, we have, from time to time, experienced threats and cybersecurity incidents relating to our information technology systems and infrastructure. Our third-party vendors may also experience threats and cybersecurity incidents from time to time. For additional information about the cybersecurity risks, see “Risk Factors” under the section entitled “Risks Related to Information Security, Cybersecurity and Data Privacy” in Part I, Item 1A of this Annual Report on Form 10-K.

Company Information