|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
To effectively identify, assess and manage risks from cybersecurity threats, the Company maintains a cybersecurity and cyber risk management program which is comprised of the Company-wide cybersecurity strategy and its supporting policies, processes and architecture. This program is part of the Company’s enterprise risk management program.
Risk Management Strategy
The Director of Information Technology, who reports to the Chief Financial Officer, has extensive information technology (“IT”) and cybersecurity knowledge and skills gained from over 15 years of relevant work experience at the Company, and is responsible for leading the Company’s cybersecurity and cyber risk management program which includes certain cybersecurity processes covering the Company’s corporate systems. These processes include, among other items, the Company’s information technology and risk management departments’ use of an internal set of applications and control activities to actively monitor potential threats to its corporate IT environment and regularly conduct internal testing to identify potential vulnerabilities to the Company’s corporate information technology infrastructure and systems. These activities include, but are not limited to, continuous monitoring of network and infrastructure vulnerabilities, automated patching and software updates, redundancy and back-up systems, and incident response planning and handling. The Company’s employees are required to report cybersecurity events, including suspicious activity or emails, to the Company’s information technology department. Should a cybersecurity event occur within its corporate systems, the Company is positioned to coordinate a swift response to mitigate impacts to its information technology infrastructure and systems. The Company has in place an incident response plan which provides guidance for leadership and employees to swiftly evaluate and respond to cybersecurity incidents. The Company also carries cybersecurity insurance to further mitigate certain potential losses from a cybersecurity incident affecting its corporate IT equipment and systems.
The Company’s cybersecurity processes also include self-assessments using industry benchmarks as well as input from external industry consultants and ongoing communication with third-party business partners to identify cybersecurity incidents and threats that could potentially impact the Company. The Company has relationships with a number of third-party business partners to assist with cybersecurity incident containment and recovery efforts and assesses the processes and tools used by its third-party business partners to manage their cybersecurity risks. The Company uses a risk-based approach with respect to its use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of network connectivity or of data accessed, processed, or stored by such third-party service provider.
The Company’s corporate IT systems are not used to process business transactions with its guests and those systems currently have no connectivity to hotel and/or third-party management and brand technology platforms. The Company’s information technology and risk management departments regularly engage with its third-party management companies and brands to understand and benchmark their execution and alignment with applicable policies and industry practices for data protection and cybersecurity.
Management and Board Oversight
The Company’s Board of Directors administers cybersecurity risk oversight primarily through its Audit Committee. The Board’s Audit Committee is tasked with oversight responsibility for the Company’s enterprise risk management program, including those related to cybersecurity and cyber risks. The Audit Committee receives regular reports from the Chief Financial Officer on, among other things: the Company’s cybersecurity risks and threats; the status of projects to strengthen the Company’s information security systems; internal and third-party assessments of the Company’s cybersecurity program; and the emerging cyber threat landscape. The Audit Committee also receives updates on cybersecurity incidents experienced by third-party business partners that may pose significant risk to the Company. The Audit Committee provides periodic reporting to the Board of Directors on cybersecurity matters. The Company’s IT and risk management departments report directly to the Chief Financial Officer and are directed to promptly report incidents to the Chief Financial Officer in accordance with the Company’s incident response plan. The Chief Financial Officer also apprises the Audit Committee of cybersecurity incidents consistent with the Company’s incident response procedures for more significant incidents and in the aggregate for less significant incidents.
Cybersecurity Risks
The Company faces a number of cybersecurity risks in connection with its business, although such risks have not materially affected the Company, including its business strategy, results of operations or financial condition, to date. While the Company is not aware of any cybersecurity incidents that have materially affected its business as of December 31, 2024, there can be no guarantee that the Company will not be the subject of future attacks, threats or incidents, that may have a material impact on its business strategy, results of operations or financial condition. Notwithstanding the extensive approach the Company takes to address cybersecurity, it may not be successful in preventing or mitigating all cybersecurity incidents or threats. For more information about the cybersecurity risks the Company faces, see the risk factor entitled “Technology is used in operations, and any material failure, inadequacy, interruption or security failure of that technology from cyber-attacks or other events could harm the Company’s business” in Item 1A- Risk Factors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Company’s Board of Directors administers cybersecurity risk oversight primarily through its Audit Committee. The Board’s Audit Committee is tasked with oversight responsibility for the Company’s enterprise risk management program, including those related to cybersecurity and cyber risks. The Audit Committee receives regular reports from the Chief Financial Officer on, among other things: the Company’s cybersecurity risks and threats; the status of projects to strengthen the Company’s information security systems; internal and third-party assessments of the Company’s cybersecurity program; and the emerging cyber threat landscape. The Audit Committee also receives updates on cybersecurity incidents experienced by third-party business partners that may pose significant risk to the Company. The Audit Committee provides periodic reporting to the Board of Directors on cybersecurity matters.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s Board of Directors administers cybersecurity risk oversight primarily through its Audit Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board’s Audit Committee is tasked with oversight responsibility for the Company’s enterprise risk management program, including those related to cybersecurity and cyber risks. The Audit Committee receives regular reports from the Chief Financial Officer on, among other things: the Company’s cybersecurity risks and threats; the status of projects to strengthen the Company’s information security systems; internal and third-party assessments of the Company’s cybersecurity program; and the emerging cyber threat landscape. The Audit Committee also receives updates on cybersecurity incidents experienced by third-party business partners that may pose significant risk to the Company. The Audit Committee provides periodic reporting to the Board of Directors on cybersecurity matters.
|Cybersecurity Risk Role of Management [Text Block]
|The Company’s IT and risk management departments report directly to the Chief Financial Officer and are directed to promptly report incidents to the Chief Financial Officer in accordance with the Company’s incident response plan. The Chief Financial Officer also apprises the Audit Committee of cybersecurity incidents consistent with the Company’s incident response procedures for more significant incidents and in the aggregate for less significant incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s IT and risk management departments report directly to the Chief Financial Officer and are directed to promptly report incidents to the Chief Financial Officer in accordance with the Company’s incident response plan.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Director of Information Technology, who reports to the Chief Financial Officer, has extensive information technology (“IT”) and cybersecurity knowledge and skills gained from over 15 years of relevant work experience at the Company
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s IT and risk management departments report directly to the Chief Financial Officer and are directed to promptly report incidents to the Chief Financial Officer in accordance with the Company’s incident response plan. The Chief Financial Officer also apprises the Audit Committee of cybersecurity incidents consistent with the Company’s incident response procedures for more significant incidents and in the aggregate for less significant incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef