Six Flags Entertainment Corporation/NEW 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Six Flags Entertainment Corporation/NEW reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 15:32:57 EST.

Filings

10-K filed on 2025-03-03

Six Flags Entertainment Corporation/NEW filed a 10-K at 2025-03-03 15:32:57 EST
Accession Number: 0001999001-25-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. As described under Item 1A in this Form 10-K, the Combined Company is subject to risks from cybersecurity threats, including risks relating to maintaining customer and employee data. Cybersecurity is a key focus at multiple levels of the organization, and management has developed policies and procedures to assess, identify and manage risks from cybersecurity threats. - Board of Directors - Enterprise risk management (“ERM”) process : As part of the ERM process, executive management and the Board of Directors regularly review an assessment related to cybersecurity and data protection risks to identify material risk areas, assess processes to mitigate those risks, and identify process and procedure improvements to alleviate identified risks, including allocating appropriate resources. Cybersecurity and data protection focus areas of ERM include phishing, malware, data breaches, outdated software, staffing levels for key information technology positions, and risks associated with the use of third parties . - Audit and Finance Committee of the Board of Directors : The Audit and Finance Committee is responsible for discussing the Combined Company’s major information technology risk exposures, including cybersecurity, and the steps management has taken to monitor and control such exposures. The Audit and Finance Committee dedicates attention to and provides oversight of certain cybersecurity risks. The Chief Digital and Technology Officer and Corporate Vice President, IT Infrastructure Operations and Security, meet with the Audit and Finance Committee regularly to assess management’s progress on implementing process and procedure improvements related to cybersecurity. The Audit and Finance Committee also provides guidance on long-term and short-term cybersecurity strategies. - Executive Management - Technology Governance Committee: The Technology Governance Committee consists of certain members of executive management, including the Chief Accounting Officer, Chief Digital and Technology Officer, Chief Commercial Officer, Chief Strategy Officer, and Corporate Vice President, IT Infrastructure Operations and Security. This committee evaluates projects involving information technology, including reviewing best practices and change management needs and communicating a company-wide approach. Therefore, the information technology department is aware of system and application implementations prior to execution to facilitate proper application and infrastructure security both during implementation and after implementation. Internal audit is notified of system and application implementations as part of this process as well. The internal audit department works with the information technology department to review information technology projects to ensure key projects are appropriately planned, designed, developed, tested, deployed and maintained, including verifying proper security both during and after implementation. 17 T able of Contents - Information Technology Department: The information technology department consists of employees with extensive cybersecurity experience, including the Chief Digital and Technology Officer and Corporate Vice President, IT Infrastructure Operations and Security , as well as a team of compliance and security associates. Cybersecurity experience within the information technology department includes prior work experience and bachelor’s degrees or higher in technology related fields. In addition to internal resources, management engages a cyber insurance carrier with comprehensive data privacy and security risk management services; a managed security service provider with comprehensive security solutions, including continuous network monitoring, reporting and assistance with investigation; and an information security consulting company that consists of cybersecurity experts and information security practitioners to provide additional cybersecurity support. Management also maintains a system of information technology controls and procedures, including controls and procedures related to authentication and access, recovery plans and secured backups of data, the design of applications and selection of packaged software, and testing of significant changes in applications and infrastructure technology. Management also provides training to its employees about cybersecurity, performs penetration testing at least annually, performs security incident preparedness activities at least annually, and performs an annual Payment Card Industry (“PCI”) attestation. Third party providers involving information technology are identified as part of the contract review process. System and Organizational Controls (“SOC”) reports are reviewed annually for third party providers. The information technology department continuously monitors for cybersecurity threats in order to detect if a cybersecurity incident has occurred. The department uses endpoint detection and response (“EDR”) and security information and event management (“SIEM”) with the assistance of a managed security service provider and internal analysts to detect and identify threats. Lastly, management follows the National Institute of Standards and Technology (“NIST”) Framework, which enables management to compare the Company against the industry and manage dynamic cybersecurity risks. If a cybersecurity incident were to occur, including a cybersecurity incident associated with a third-party provider, management has developed an incident response plan to align responsibilities throughout the organization to facilitate an efficient and effective response, as well as an appropriate investigation of each incident. The incident response plan is led by executive management, the Chief Digital and Technology Officer, the Corporate Vice President, IT Infrastructure Operations and Security, and the information technology department and includes a further delegation of incident responsibility to key internal stakeholders, including the legal, investor relations, human resources, and internal audit departments. Upon identification of an incident, each incident is assigned an incident materiality rating based on both quantitative and qualitative considerations. Qualitative considerations include the presence of ransomware, operational degradation or interruption, operational loss, and sensitive or confidential data loss. Based on the severity of each incident, the incident response is escalated. Cybersecurity incidents, regardless of materiality, are investigated by the information technology department led by Corporate Vice President, IT Infrastructure Operations and Security and are communicated to the Chief Executive Officer, Chief Financial Officer, Chief Legal Officer, Chief Digital and Technology Officer, the Executive Chairman of the Board of Directors, Lead Independent Director and the Chair of the Audit and Finance Committee. The entire Board of Directors is notified of material or high-risk incidents. Risks from cybersecurity threats could materially affect the Combined Company’s business strategy, results of operations or financial condition as described under Item 1A in this Form 10-K. There are no known risks from cybersecurity incidents that have materially affected or are reasonably likely to materially affect the registrant as of the date of this filing. 18 T able of Contents

Company Information