|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We manage risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, through our overall enterprise risk management process, which is overseen by our Board. As part of our enterprise risk management process, management has established a global information security program, which encompasses a dedicated team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats. These policies, procedures, and processes are informed by recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization, as well as other relevant standards. Our program is designed to maintain the confidentiality, integrity, security, and availability of the data that is created, collected, stored, and used to operate our business.
We assess, identify, and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, vulnerability scans, penetration tests, and engagement of third parties to conduct analyses of our information security program. We obtain cybersecurity threat intelligence from recognized forums, third parties, and other sources as part of our risk assessment process. We also maintain a risk-based approach for assessing, identifying, and managing risks from cybersecurity threats associated with key third-party service providers, hotel owners, and other companies with whom we do business.
With respect to information security incident response, we maintain a Global Information Security & Privacy Incident Response Plan (“IRP”), which applies to information security incidents involving properties owned, leased, or managed by Marriott, as well as our above-property business locations. Our IRP sets out a coordinated, multi-functional approach for investigating, containing, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate.
For properties that are not owned, leased, or managed by Marriott, the franchisees, licensees, or other applicable counterparties are generally responsible for information security at such properties and the systems and business processes related to information security that are under their direction and control. Franchisees and licensees are typically required to comply with Marriott brand standards relating to information security, which include an obligation to report relevant information security incidents to us.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We manage risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K, through our overall enterprise risk management process, which is overseen by our Board. As part of our enterprise risk management process, management has established a global information security program, which encompasses a dedicated team and policies, procedures, and processes for assessing, identifying, and managing risks from cybersecurity threats.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board has established a Technology and Information Security Oversight Committee (“TISOC”) to assist the Board in providing oversight of matters pertaining to technology platforms and systems, information security, and privacy, including risks from cybersecurity threats; management’s efforts to monitor, provide governance over, and mitigate those risks; significant cybersecurity incidents; and emerging technology and trends, including AI. The TISOC meets at least four times per year and receives reports from our global information security team and other members of management about these matters. The Board’s Audit Committee, which assists the Board in providing oversight of matters pertaining to the Company’s internal control environment, compliance with legal and regulatory requirements, and risk assessment policies and procedures, receives reports regarding information security and technology-related audits conducted by our internal audit department. Risks from cybersecurity threats are also discussed with the full Board as part of regular legal updates and management presentations, the Board’s oversight of enterprise risk management, and periodic education sessions.
To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee, as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security, data privacy, and AI programs; oversee the implementation of our information security, data privacy, and AI risk management strategy; and identify, consider, and escalate information security, data privacy, and AI issues that may arise in our business.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board has established a Technology and Information Security Oversight Committee (“TISOC”) to assist the Board in providing oversight of matters pertaining to technology platforms and systems, information security, and privacy, including risks from cybersecurity threats; management’s efforts to monitor, provide governance over, and mitigate those risks; significant cybersecurity incidents; and emerging technology and trends, including AI.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The TISOC meets at least four times per year and receives reports from our global information security team and other members of management about these matters. The Board’s Audit Committee, which assists the Board in providing oversight of matters pertaining to the Company’s internal control environment, compliance with legal and regulatory requirements, and risk assessment policies and procedures, receives reports regarding information security and technology-related audits conducted by our internal audit department. Risks from cybersecurity threats are also discussed with the full Board as part of regular legal updates and management presentations, the Board’s oversight of enterprise risk management, and periodic education sessions.
|Cybersecurity Risk Role of Management [Text Block]
|
To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee, as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security, data privacy, and AI programs; oversee the implementation of our information security, data privacy, and AI risk management strategy; and identify, consider, and escalate information security, data privacy, and AI issues that may arise in our business.
Our global information security team led by our Chief Information Security Officer (“CISO”) works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally. Cybersecurity incidents are escalated to our CISO and members of our global information security team, members of senior management, and members of the Board to the extent required under our IRP.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee, as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security, data privacy, and AI programs; oversee the implementation of our information security, data privacy, and AI risk management strategy; and identify, consider, and escalate information security, data privacy, and AI issues that may arise in our business.
Our global information security team led by our Chief Information Security Officer (“CISO”) works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally. Cybersecurity incidents are escalated to our CISO and members of our global information security team, members of senior management, and members of the Board to the extent required under our IRP.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CISO and other members of senior management responsible for our information security program have extensive experience assessing and managing risks from cybersecurity threats, including decades of experience in information technology and information security positions; serving in information technology leadership positions at other large public companies; and having other significant experience in the areas of risk management, information technology, and information security. Our current CISO will be departing the Company voluntarily in late February 2026 for a position in another industry. We are undertaking a search for his replacement and expect to appoint a new CISO. Prior to such appointment, we intend to appoint an information security professional with appropriate expertise to act in an interim capacity to oversee our global information security program who will report to our Global Chief Information Officer and perform the CISO functions.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
To establish, implement, and evaluate our risk management policies and practices with respect to cybersecurity threats, and to facilitate the communication of such matters to the Board, the TISOC, and the Audit Committee, as applicable, we have established a number of management committees, several of which include senior leaders and direct reports of the Company’s President and CEO, that serve as our policymaking and management-level governing bodies with respect to our information security, data privacy, and AI programs; oversee the implementation of our information security, data privacy, and AI risk management strategy; and identify, consider, and escalate information security, data privacy, and AI issues that may arise in our business.
Our global information security team led by our Chief Information Security Officer (“CISO”) works in coordination with these management committees and other cross-functional teams and is principally responsible for overseeing our information security strategy, working collaboratively with business leaders across the organization to assess, identify, and manage risks from cybersecurity threats, and to address cybersecurity incidents when they arise. Our information security program is operated on a 24/7 basis to address risks from cybersecurity threats and to respond to cybersecurity incidents globally. Cybersecurity incidents are escalated to our CISO and members of our global information security team, members of senior management, and members of the Board to the extent required under our IRP.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef