XML 23 R11.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

In an era marked by rapid technological evolution, the business landscape is increasingly data-driven. Companies, including ours, collect, store, and leverage data to glean valuable insights about our members and travel trends; deliver relevant content to our members, suppliers, and business partners and enhance operational efficiency. This collection and leverage of data exposes us to potential cybersecurity threats. Our cybersecurity program is guided by industry standards developed by the National Institute of Standards and Technology (“NIST”). As a result, we have implemented a cybersecurity risk management framework that is designed to identify, assess, and mitigate risks from cybersecurity threats to our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the data residing on those systems. While no organization can eliminate cybersecurity risk entirely, we believe our cybersecurity program is reasonably designed to mitigate our cybersecurity and information technology risks.

Risk Management Oversight and Governance

The Board of Directors is responsible for overseeing management’s processes for managing cybersecurity risks and has delegated this function to the Audit Committee. The Audit Committee regularly reviews and discusses with management the processes to identify, assess and manage cybersecurity threats, as well as to identify, assess and, to the extent required, disclose whether risks from cybersecurity threats have materially affected the Company or if material cybersecurity incidents have occurred.

Management is responsible for the day-to-day risk management process, including the identification of risks and implementation of policies and procedures designed to manage, mitigate or monitor cyber risks. In support of these responsibilities, management has formed a Compliance Committee and designated a Chief Compliance Officer to implement, manage and oversee a corporate compliance program.

The Compliance Committee is responsible for understanding the global risk landscape of the Company and for working to ensure that we have a compliance program in place designed to mitigate, manage and/or monitor risks. The Compliance Committee consists of, among others, our Chief Financial Officer (“CFO”), Chief Legal Officer (“CLO”) and Chief Compliance Officer (“CCO”). The CCO has established an Information Governance and Privacy Committee responsible for oversight of privacy and cybersecurity risks. The Information Governance and Privacy Committee consists of senior members of the Company’s Information Security Team and CCO, as well as representatives from engineering, product development and data privacy. The Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats.

Our Information Security Team reports to our CCO. The CCO reports to the Compliance Committee, which includes the CFO and CLO. The CFO and CLO report directly to the Company’s Chief Executive Officer. Each of the CFO, CLO and CCO report regularly to our Board of Directors on, among other matters, our global risk landscape and risk management efforts, including those related to cybersecurity risks.

Our CCO, supported by our Information Security Team, has primary responsibility for managing our cybersecurity threat management program. We maintain rigorous standards for our information security leadership positions, including requiring extensive experience in building and leading cybersecurity security teams and

implementing enterprise-wide cybersecurity programs. Our CCO and Information Security Team continue to execute on our established cybersecurity strategy and risk management framework.

The CCO, with input from the Information Security Team, meets regularly with and provides updates on cybersecurity developments to, members of the executive management team.

Our Information Security Team meets at least annually with each of the Compliance Committee and the Audit Committee to discuss cybersecurity threats and the risk management programs. The Information Security Team provides information, as appropriate, about the sources and nature of risks the Company faces and how management assesses such risks. Our CCO also provides a quarterly report to the Audit Committee on trends and observations concerning cyber threats and actions being taken to mitigate those risks. The Chair of the Audit Committee reports quarterly to the full Board of Directors and that report includes a summary of the CCO’s report.

Processes for the Identification of Risks from Cybersecurity Threats

The Compliance Committee, working with the Information Security Team, has developed a cybersecurity risk management program that aims to address the following key areas:

Identification of assets at risk from cybersecurity threats;
Identification of potential sources of cybersecurity threats;
Assessment of the status of protections in place to prevent or mitigate cybersecurity threats;
Approaches to mitigating and managing cybersecurity risks; and
A process for regular reporting to the Compliance Committee and Board of Directors (directly and through the Audit Committee).

The Company’s risk assessment and mitigation program is centered on the following components:

Identification of significant risks (primarily through enterprise risk assessments);
An evaluation of the likelihood of such risk occurring, the potential impact and the control strength, consideration for compensating controls to mitigate the risk;
Prioritization of different risk items based on, among other things, the results of our evaluation; and
Establishment of a process for addressing those risks.

Our Internal Audit team reviews, monitors and audits various aspects of the Company’s enterprise risk management program to evaluate whether risks, including cybersecurity risks, are appropriately identified and managed. Internal Audit periodically reports to the Audit Committee on the Company’s cybersecurity risk mitigation efforts. The Audit Committee Chair, in turn, reports to the full Board of Directors.

Our Incident Response Plan (“IRP”) is designed to facilitate rapid incident response to any security incident affecting the Company’s business lines, locations, services, and divisions. The IRP defines the roles and responsibilities for the senior leadership team and cybersecurity experts to identify and respond to cybersecurity events and incidents while complying with legal obligations. The Incident Response Team (“IRT”) is designated by the IRP to assess each cybersecurity incident and event for impacts to the Company, customers, and third-party partners and oversee the response to and remediation of such incident.

We have several employee training and development programs that are designed to, among others, raise awareness of cybersecurity risks impacting the business to encourage consideration and facilitate managing those risks. To assess the effectiveness of our program, we periodically conduct penetration testing and other vulnerability analyses. As part of the assessment of the protections we have in place to mitigate risks, we engage third parties to conduct risk assessments on our systems.

We rely on certain third-party computer systems and third-party service providers in connection with providing some of our services. These third-party business partners, service providers, and consultants need to access our customer and other data, and connect to our computer networks. We define expected security and privacy requirements through our contracting processes with those third parties and we perform cyber risk assessments at the time of procurement to review the cyber risk management efforts of those third parties. These vendors are

contractually obligated to notify us when they experience a cybersecurity incident that can affect our operations or stakeholders.

Before purchasing third-party technology or other solutions and partnerships that involve exposure to the Company’s assets and electronic information, our Information Security and Privacy team undertakes due diligence to assess any key data privacy or information security risks.

To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition; however, like other companies in our industry, we have, from time to time, experienced threats and cybersecurity incidents relating to our information technology systems and infrastructure. Our third-party vendors may also experience threats and cybersecurity incidents from time to time.

For additional information about the cybersecurity risks, see “Risk Factors” under the section entitled “Risks Related to Information Security, Cybersecurity and Data Privacy” in Part I, Item 1A of this Annual Report on Form 10-K.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Board of Directors is responsible for overseeing management’s processes for managing cybersecurity risks and has delegated this function to the Audit Committee. The Audit Committee regularly reviews and discusses with management the processes to identify, assess and manage cybersecurity threats, as well as to identify, assess and, to the extent required, disclose whether risks from cybersecurity threats have materially affected the Company or if material cybersecurity incidents have occurred
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board of Directors is responsible for overseeing management’s processes for managing cybersecurity risks and has delegated this function to the Audit Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee regularly reviews and discusses with management the processes to identify, assess and manage cybersecurity threats, as well as to identify, assess and, to the extent required, disclose whether risks from cybersecurity threats have materially affected the Company or if material cybersecurity incidents have occurred.The Chair of the Audit Committee reports quarterly to the full Board of Directors and that report includes a summary of the CCO’s report.
Cybersecurity Risk Role of Management [Text Block]

Management is responsible for the day-to-day risk management process, including the identification of risks and implementation of policies and procedures designed to manage, mitigate or monitor cyber risks. In support of these responsibilities, management has formed a Compliance Committee and designated a Chief Compliance Officer to implement, manage and oversee a corporate compliance program.

The Compliance Committee is responsible for understanding the global risk landscape of the Company and for working to ensure that we have a compliance program in place designed to mitigate, manage and/or monitor risks. The Compliance Committee consists of, among others, our Chief Financial Officer (“CFO”), Chief Legal Officer (“CLO”) and Chief Compliance Officer (“CCO”). The CCO has established an Information Governance and Privacy Committee responsible for oversight of privacy and cybersecurity risks. The Information Governance and Privacy Committee consists of senior members of the Company’s Information Security Team and CCO, as well as representatives from engineering, product development and data privacy. The Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats.

Our Information Security Team reports to our CCO. The CCO reports to the Compliance Committee, which includes the CFO and CLO. The CFO and CLO report directly to the Company’s Chief Executive Officer. Each of the CFO, CLO and CCO report regularly to our Board of Directors on, among other matters, our global risk landscape and risk management efforts, including those related to cybersecurity risks.

Our CCO, supported by our Information Security Team, has primary responsibility for managing our cybersecurity threat management program. We maintain rigorous standards for our information security leadership positions, including requiring extensive experience in building and leading cybersecurity security teams and

implementing enterprise-wide cybersecurity programs. Our CCO and Information Security Team continue to execute on our established cybersecurity strategy and risk management framework.

The CCO, with input from the Information Security Team, meets regularly with and provides updates on cybersecurity developments to, members of the executive management team.

Our Information Security Team meets at least annually with each of the Compliance Committee and the Audit Committee to discuss cybersecurity threats and the risk management programs. The Information Security Team provides information, as appropriate, about the sources and nature of risks the Company faces and how management assesses such risks. Our CCO also provides a quarterly report to the Audit Committee on trends and observations concerning cyber threats and actions being taken to mitigate those risks. The Chair of the Audit Committee reports quarterly to the full Board of Directors and that report includes a summary of the CCO’s report.

Processes for the Identification of Risks from Cybersecurity Threats

The Compliance Committee, working with the Information Security Team, has developed a cybersecurity risk management program that aims to address the following key areas:

Identification of assets at risk from cybersecurity threats;
Identification of potential sources of cybersecurity threats;
Assessment of the status of protections in place to prevent or mitigate cybersecurity threats;
Approaches to mitigating and managing cybersecurity risks; and
A process for regular reporting to the Compliance Committee and Board of Directors (directly and through the Audit Committee).

The Company’s risk assessment and mitigation program is centered on the following components:

Identification of significant risks (primarily through enterprise risk assessments);
An evaluation of the likelihood of such risk occurring, the potential impact and the control strength, consideration for compensating controls to mitigate the risk;
Prioritization of different risk items based on, among other things, the results of our evaluation; and
Establishment of a process for addressing those risks.

Our Internal Audit team reviews, monitors and audits various aspects of the Company’s enterprise risk management program to evaluate whether risks, including cybersecurity risks, are appropriately identified and managed. Internal Audit periodically reports to the Audit Committee on the Company’s cybersecurity risk mitigation efforts. The Audit Committee Chair, in turn, reports to the full Board of Directors.

Our Incident Response Plan (“IRP”) is designed to facilitate rapid incident response to any security incident affecting the Company’s business lines, locations, services, and divisions. The IRP defines the roles and responsibilities for the senior leadership team and cybersecurity experts to identify and respond to cybersecurity events and incidents while complying with legal obligations. The Incident Response Team (“IRT”) is designated by the IRP to assess each cybersecurity incident and event for impacts to the Company, customers, and third-party partners and oversee the response to and remediation of such incident.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Compliance Committee is responsible for understanding the global risk landscape of the CompanyThe Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Information Governance and Privacy Committee meets regularly to discuss and monitor information uses and governance and risks associated with our information assets, including prevention, detection, mitigation and remediation of risks from cybersecurity threats
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true