|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
As discussed in Part I, Item 3.D – Risk Factors, the Company faces an evolving cybersecurity and information security risk landscape that could impact the achievement of strategic, financial and operational objectives. While it is not possible to identify or anticipate every cybersecurity and information security risk, the Company has developed, implemented, and maintained cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. These include processes for assessing, identifying, and managing material risks from cyber and information security threats, which are incorporated into the Company’s enterprise risk management program, and we test, evaluate, and evolve our processes, security measures, and incident response, as appropriate.
To operate the business and provide products and services to our customers, the Company owns and maintains or works with third parties to employ various information systems, or electronic information resources. These information systems include physical or virtual infrastructure controlled by such information resources (or components thereof), organized and overseen by the Global Information Security (“GIS”) team in collaboration with the business to collect, process, maintain, use, share, disseminate or dispose of the Company’s information to maintain and support operations. The Chief Information Officer (the “CIO”) leads the GIS function of the Company.
GIS maintains information and cyber security risk management practices and processes designed to identify, analyze, evaluate and address various cybersecurity threats faced by the Company. Any potential cybersecurity incident could adversely affect the confidentiality, integrity or availability of our information systems or any information residing therein, and these threats include external attempts to breach and compromise systems, social engineering, insider threats, mishandling of or failure to comply with security policies and not adhering to published guidance on how to operate in accordance with cybersecurity practices. To mitigate our cybersecurity risk, GIS has designed various cybersecurity processes to prevent, detect, report, mitigate and remediate threats and vulnerabilities and protect the confidentiality, integrity and availability of information. Under the supervision of the CIO, the Chief Information Security Officer (the “CISO”) oversees the Company’s information security programs maintained throughout the organization and ensures the integration of policies, procedures and controls into business processes.
GIS performs certain operational aspects of the information and cyber security program by partnering with business units and senior management to conduct ongoing impact and risk assessment. The GIS team serves as the Company’s first level of information and cyber security defense monitoring, with responsibility for identifying and escalating cybersecurity incidents pursuant to established internal procedures. When a cybersecurity incident occurs, GIS coordinates and provides timely, organized, and informed responses to mitigate the damage or loss to the Company’s IT systems, network and data and to minimize economic, reputational and other harms to the Company and its customers, employees and partners.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
To operate the business and provide products and services to our customers, the Company owns and maintains or works with third parties to employ various information systems, or electronic information resources. These information systems include physical or virtual infrastructure controlled by such information resources (or components thereof), organized and overseen by the Global Information Security (“GIS”) team in collaboration with the business to collect, process, maintain, use, share, disseminate or dispose of the Company’s information to maintain and support operations. The Chief Information Officer (the “CIO”) leads the GIS function of the Company.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
To support the effectiveness of the information and cyber security risk management practices, the Company has implemented a program and governance model that describes the roles, responsibilities and expectations across the Company:
•Board and Audit Committee: The Board reviews the adequacy and effectiveness of the Company’s cyber and information security program, including the various policies, practices, and internal controls. The Audit Committee holds dedicated sessions to receive and discuss updates on data protection and cybersecurity and engages with management on the Company’s incident prevention plans and policies, threat-detection measures and prompt response to malicious activity and attacks. Through the Audit Committee, the Board receives periodic updates on cyber security risk oversight and related matters, including the receipt of annual reports on cyber and information security from the CIO, CISO, and Audit Committee.
•Information and Cyber Security Program Owners: The Senior Vice President, CIO, and Vice President, CISO own the GIS Information and Cyber Security Program. The CISO operates the Company’s cyber and information security program under the direct supervision of the CIO, and the CIO reports directly into the Company’s CFO.
•Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
•Cybersecurity Incident Response Committee (or the “CIRC”): The Company has established a cross-functional CIRC charged with reviewing significant cybersecurity incidents escalated by the CISO to complete a materiality analysis to support the identification of appropriate steps, which may include disclosure in accordance with applicable SEC rules and regulation and other law.
•Senior Management: Senior management is responsible for collaborating with GIS to implement information and cyber security processes into business operations or functional areas, as appropriate.
Cybersecurity and Our Products and Services
Customers entrust the Company to safeguard their data, and GIS ensures that trust with teams dedicated to maintaining that confidentiality, integrity, and availability of customer data. GIS identifies cybersecurity risks and tracks mitigation activities, testing and monitoring of the operational effectiveness of controls to ensure business commitments are achieved. In addition to internal management of data security controls, GIS undergoes third-party assessments each year to validate that controls are suitably designed and operating effectively. These independent assessments include: (i) internal risk assessments; (ii) System and Organizational Controls (“SOC”) 1, SOC 2, and SOC 3 audits; (iii) Payment Card Industry assessments; (iv) World Lottery Association assessments; and (v) ISO 27001 certification audits.
GIS has incorporated secure practices into the software development lifecycle, which includes risk assessments of projects, rigorous testing of application and network changes, issue tracking to resolution prior to deployment of changes, governance over our environment and providing a structured, measurable process to ensure solutions are managed and sustainable with a security focus.
IGT’s Global Information Security Management System (“ISMS”) addresses security concerns related to safeguarding customer data by guiding the management of the overall information security management framework and developing information security documentation, including security policies, security standards and protocols or procedures. The goals pursued by ISMS include:
•Complying with business, legal, and regulatory requirements to maintain the confidentiality, integrity and availability of IGT information assets and services;
•Implementing industry best practices at the program, process and system levels;
•Maintaining IGT’s ability to continue services in the face of events and major disruptions;
•Implementing controls to protect IGT information against theft, abuse and other forms of harm or loss; and
•Designing and implementing a system of internal controls designed to protect IGT and its stakeholders.
IGT’s GIS team focuses on early detection of risks, including cybersecurity threats, through a variety of testing methods that are selected and implemented to align with industry best practices, which include penetration and vulnerability scanning of systems and environments. Findings from these tests are tracked to remediation and reported to executive management (including the Chief Financial Officer, General Counsel, Chief Accounting Officer, and Chief Audit Executive) and the Audit Committee.
In addition to the Company’s monitoring capabilities, internal and external parties can also escalate a suspected information or cyber security threat to GIS through an automated reporting system. As needed, the GIS team coordinates a response with other departments (including the Legal department and executive team) by way of the CISO. If management deems a cybersecurity incident material, the Company will report the cybersecurity incident consistent with applicable rules and regulations, including those of the SEC. GIS also introduced the Third-Party Risk Assessments program to evaluate the potential impact of IGT vendors on the business from various security threat vectors and monitors the overall cyber security health of IGT’s critical vendors. Information security monitoring of vendors is managed through GIS, in collaboration with the Company’s procurement team.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board and Audit Committee: The Board reviews the adequacy and effectiveness of the Company’s cyber and information security program, including the various policies, practices, and internal controls. The Audit Committee holds dedicated sessions to receive and discuss updates on data protection and cybersecurity and engages with management on the Company’s incident prevention plans and policies, threat-detection measures and prompt response to malicious activity and attacks. Through the Audit Committee, the Board receives periodic updates on cyber security risk oversight and related matters, including the receipt of annual reports on cyber and information security from the CIO, CISO, and Audit Committee.
•Information and Cyber Security Program Owners: The Senior Vice President, CIO, and Vice President, CISO own the GIS Information and Cyber Security Program. The CISO operates the Company’s cyber and information security program under the direct supervision of the CIO, and the CIO reports directly into the Company’s CFO.
•Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
•Cybersecurity Incident Response Committee (or the “CIRC”): The Company has established a cross-functional CIRC charged with reviewing significant cybersecurity incidents escalated by the CISO to complete a materiality analysis to support the identification of appropriate steps, which may include disclosure in accordance with applicable SEC rules and regulation and other law.•Senior Management: Senior management is responsible for collaborating with GIS to implement information and cyber security processes into business operations or functional areas, as appropriate.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
|Cybersecurity Risk Role of Management [Text Block]
|Board and Audit Committee: The Board reviews the adequacy and effectiveness of the Company’s cyber and information security program, including the various policies, practices, and internal controls. The Audit Committee holds dedicated sessions to receive and discuss updates on data protection and cybersecurity and engages with management on the Company’s incident prevention plans and policies, threat-detection measures and prompt response to malicious activity and attacks. Through the Audit Committee, the Board receives periodic updates on cyber security risk oversight and related matters, including the receipt of annual reports on cyber and information security from the CIO, CISO, and Audit Committee.
•Information and Cyber Security Program Owners: The Senior Vice President, CIO, and Vice President, CISO own the GIS Information and Cyber Security Program. The CISO operates the Company’s cyber and information security program under the direct supervision of the CIO, and the CIO reports directly into the Company’s CFO.
•Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
•Cybersecurity Incident Response Committee (or the “CIRC”): The Company has established a cross-functional CIRC charged with reviewing significant cybersecurity incidents escalated by the CISO to complete a materiality analysis to support the identification of appropriate steps, which may include disclosure in accordance with applicable SEC rules and regulation and other law.•Senior Management: Senior management is responsible for collaborating with GIS to implement information and cyber security processes into business operations or functional areas, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Board and Audit Committee: The Board reviews the adequacy and effectiveness of the Company’s cyber and information security program, including the various policies, practices, and internal controls. The Audit Committee holds dedicated sessions to receive and discuss updates on data protection and cybersecurity and engages with management on the Company’s incident prevention plans and policies, threat-detection measures and prompt response to malicious activity and attacks. Through the Audit Committee, the Board receives periodic updates on cyber security risk oversight and related matters, including the receipt of annual reports on cyber and information security from the CIO, CISO, and Audit Committee.
•Information and Cyber Security Program Owners: The Senior Vice President, CIO, and Vice President, CISO own the GIS Information and Cyber Security Program. The CISO operates the Company’s cyber and information security program under the direct supervision of the CIO, and the CIO reports directly into the Company’s CFO.
•Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
•Cybersecurity Incident Response Committee (or the “CIRC”): The Company has established a cross-functional CIRC charged with reviewing significant cybersecurity incidents escalated by the CISO to complete a materiality analysis to support the identification of appropriate steps, which may include disclosure in accordance with applicable SEC rules and regulation and other law.•Senior Management: Senior management is responsible for collaborating with GIS to implement information and cyber security processes into business operations or functional areas, as appropriate.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Board and Audit Committee: The Board reviews the adequacy and effectiveness of the Company’s cyber and information security program, including the various policies, practices, and internal controls. The Audit Committee holds dedicated sessions to receive and discuss updates on data protection and cybersecurity and engages with management on the Company’s incident prevention plans and policies, threat-detection measures and prompt response to malicious activity and attacks. Through the Audit Committee, the Board receives periodic updates on cyber security risk oversight and related matters, including the receipt of annual reports on cyber and information security from the CIO, CISO, and Audit Committee.
•Information and Cyber Security Program Owners: The Senior Vice President, CIO, and Vice President, CISO own the GIS Information and Cyber Security Program. The CISO operates the Company’s cyber and information security program under the direct supervision of the CIO, and the CIO reports directly into the Company’s CFO.
•Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
•Cybersecurity Incident Response Committee (or the “CIRC”): The Company has established a cross-functional CIRC charged with reviewing significant cybersecurity incidents escalated by the CISO to complete a materiality analysis to support the identification of appropriate steps, which may include disclosure in accordance with applicable SEC rules and regulation and other law.•Senior Management: Senior management is responsible for collaborating with GIS to implement information and cyber security processes into business operations or functional areas, as appropriate.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Information and Security Governance Committee (or the “ISGC”): The ISGC, comprised of senior management and led by the CISO, reviews GIS policies, standards and other governance documents at least annually, or upon need of a significant change. Decisions and recommendations from the committee are communicated to executive management and the Board, as appropriate, by the CISO.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef