Bally's Corp 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Bally’s Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 16:51:26 EDT.

Filings

10-K filed on 2025-03-17

Bally’s Corp filed a 10-K at 2025-03-17 16:51:26 EDT
Accession Number: 0001747079-25-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats, and have integrated these processes into our overall risk management systems and practices. We routinely assess material risks from cybersecurity threats, including any potential unauthorized attack on, or use of, our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information stored therein. Our data breach management policy classifies potential incidents by risk levels, and we typically prioritize our incident mitigation and impact evaluation efforts based on those risk classifications, while focusing on maintaining the resiliency of our systems. These risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks. Following these risk assessments, we design, implement, and maintain reasonable safeguards to minimize the identified risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards. Some of the other steps we have taken to detect, identify, assess, classify, and attempt to mitigate cyber security and risks include: - Adopting and periodically reviewing and updating information security and privacy policies; - Conducting targeted audits and penetration tests throughout the year, using both internal and external resources; - Complying with the Payment Card Industry Data Security Standard (PCI-DSS); - Implementing an Information Security Management System (ISMS) that is certified as meeting the requirements of the ISO 27001 standard; - Implementing a Privacy Information Management System (PIMS) that complies with the requirements of the ISO 27701 standard; - Engaging an industry-leading, suitably qualified and experienced third party to independently evaluate our information security systems on a regular basis; - Adopting a vendor risk management program, which includes receiving the results of cybersecurity evaluations conducted on certain vendors engaged in high-risk data processing; - Providing security and data protection training and awareness to our employees, contractors and key partners with access to sensitive information and systems; and - Maintaining cyber liability insurance. At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information regarding risks from cybersecurity threats, please refer to Item 1A “Risk Factors -Cybersecurity and Technology Risks. Governance Cybersecurity and data protection falls under our overall risk management and oversight. Our Board of Directors periodically receives reports from our operations committee, cybersecurity management, external professional advisors, and other relevant Company personnel regarding various types of risks faced by the Company and the Company’s risk mitigation efforts related thereto, including cybersecurity risks and related mitigation efforts. The Board also receives presentations from management regarding trends in cybersecurity risks and risk mitigation initiatives and plans, including briefings on recent breaches at other companies and key takeaways and lessons learned that are applicable to our business. The Board will also periodically review key cybersecurity-related benchmarks for the Company. The Company has a dedicated Security Forum and a Data Protection Committee comprising members from our senior leadership that convene on a regular basis to receive updates from our operations committee, cybersecurity management, external professional advisors, and other relevant Company personnel about the Cybersecurity & Privacy programs we have in place; discuss and assess material risks and planned risk mitigation, incidents and planned remediation efforts, trends observed, consider cybersecurity-related proposals, and review and adopt changes in cybersecurity policies. 37 Management’s Responsibilities In the event we identify a potential cybersecurity issue, we have defined procedures for responding to such issues, including procedures that address when and how to engage with Company management, our Board of Directors, other stakeholders, and law enforcement when responding to such issues. We have a dedicated management team overseeing our cybersecurity initiatives, led by our Chief Information Officer, our Vice President and Global Data Privacy Officer, and our Vice President of Cybersecurity. Our Chief Information Officer has over 25 years’ experience overseeing and managing information technology teams and complex IT systems, and our Vice President of Cybersecurity has over 15 years’ experience developing and managing cybersecurity functions and strategies. Our Vice President of Global Data Privacy is a recognized leader in the industry with over 7 years of experience in managing global data privacy programs. Our cybersecurity management team regularly meets with senior executives and other team members to provide oversight with respect to our cybersecurity risk detection, identification, assessment, classification, and mitigation efforts. 38

Company Information