Global Business Travel Group, Inc. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Global Business Travel Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 17:19:33 EST.

Filings

10-K filed on 2025-03-07

Global Business Travel Group, Inc. filed a 10-K at 2025-03-07 17:19:33 EST
Accession Number: 0001628280-25-011370

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to the our cybersecurity policies, standards, processes and practices, which are integrated into our overall risk management system. We take a risk-based approach to cybersecurity aligned with National Institute of Standards and Technology (NIST) Cybersecurity Framework principles and have implemented controls throughout our operations that are designed to address cybersecurity threats and incidents. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help us identify, escalate, investigate, resolve and recover from security incidents in a timely manner. Our cybersecurity program and policies articulate the expectations and requirements with respect to acceptable use, education and awareness, security incident management and reporting, identity and access management, vendor due diligence, security (with respect to physical assets, products, networks, and systems), security monitoring and vulnerability identification. Our cybersecurity program and policies are operated by a dedicated cybersecurity operations team in conjunction with our enterprise Risk Management and Compliance program. Our cyber risk management program identifies, tracks, escalates, remediates, and reports cyber related risks throughout the Company. These risk areas include internal, product, vendor, supply chain, and external services utilized across the Company. These risks are assessed, prioritized, and both tactically and strategically addressed via process, technology, and personnel improvements to ensure ongoing mitigation and tracking. We utilize internal and external resources, including leading third party providers in the cybersecurity prevention, detection and monitoring space, to monitor for cybersecurity threats to our systems and networks and to understand the broader threat environment. Our cybersecurity strategy is guided by prioritized risk, identified areas for improvement based on the NIST Cybersecurity Framework, and emerging business needs. Cybersecurity risks are continually monitored and shared with the executive leadership team on a quarterly basis. We maintain a global incident response plan, coupled with a global continuous monitoring program. This plan and program include incident alerting, comprehensive incident criticality assessments, and escalation processes designed to support our teams, our senior leadership, and the Board. This escalation process also includes cross-functional materiality determinations and applicable reporting requirements. Our cybersecurity operations team manages all facets of cybersecurity monitoring, coordinating with managed services security providers and internal analysts across the Company. All employees are provided cybersecurity awareness training, which includes topics on our policies and procedures for reporting potential incidents. Our cybersecurity team regularly evaluates emerging risks, regulations, and compliance matters and updates applicable policies and procedures accordingly. To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect the Company, including its business strategy, results 53 of operations or financial condition. Refer to “Part I, Item 1A. Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company, including the risk factor captioned “Cybersecurity attacks or security breaches or incidents impacting our systems or data could adversely affect our ability to operate, could result in personal information and our proprietary information being lost, stolen, made inaccessible, improperly disclosed or misappropriated and may cause us to be held liable or subject to regulatory penalties and sanctions and to litigation (including class action litigation), which could have a material adverse effect on our reputation and business.” Governance The Board , directly and through its committees, oversees our risk management process, including cybersecurity risks and regularly receive presentations and reports from management. Pursuant to the Risk Management and Compliance Committee Charter, the Risk Management and Compliance Committee of the Board provides compliance oversight of our risk assessment and risk management policies, which include cybersecurity, and receives regular reports and updates on the steps management has taken to monitor and mitigate such exposures and risks. Our Chief Information Security Officer (“CISO”), in coordination with our Chief Technology Officer, is responsible for leading the assessment and management of cybersecurity risks. The current CISO has over 25 years of experience managing robust security programs, including in heavily regulated environments such as financial services. The CISO possesses extensive experience in information security, risk management, and technology governance, with a strong background in both strategic leadership and technical security operations. The CISO presents to the Risk Management and Compliance Committee on a bi-annual basis concerning our cybersecurity program.

Company Information