|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 16K. Cybersecurity
We rely on our technology infrastructure and information systems to interact with our guests, sell our services, utilize our data, support and grow our customer base, and bill, collect and make payments (including processing credit card information). Our technology infrastructure and information systems also support our onboard and onshore operations, as well as our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed system and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, phishing attacks, the introduction of malicious computer viruses, malware, ransomware, falsification of banking and other information, insider risk or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded. We expect that the sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. Our board of directors has direct oversight of our management of cybersecurity risks under the direction and supervision of our Executive Vice President, Head of Business Development. Our board of directors receives a comprehensive update on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant.
We have implemented processes to assess, identify and manage cybersecurity risks, including potentially material risks, related to our internal information systems. For example, we established a Cybersecurity Advisory Group, which meets regularly and reports to our Executive Vice President, Head of Business Development. This advisory group is comprised of (1) members of our technology and cybersecurity teams that report to our Executive Vice President, Head of Business Development, some of which have over 15 years of technology and security leadership managing technology and security teams in the travel industry, and (2) officers from our external cybersecurity partner and advisor. Our cybersecurity and technology team leaders have principal responsibility for managing the cybersecurity team, assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for our board of directors.
The Cybersecurity Advisory Group oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks, and regularly collaborates with industry-leading security partners and professionals with extensive experience and expertise in cybersecurity and risk management. In addition, the Cybersecurity Advisory Group develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive
incident response plans, oversees the cybersecurity risks posed by third-party vendors and provides regular updates on cybersecurity-related matters to our Executive Vice President, Head of Business Development and our board of directors.
In addition, we engage subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify and manage potential and actual cybersecurity threats, to actively monitor our systems internally and to provide forensic assistance to facilitate system recovery in the case of an incident. Our cybersecurity team oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any.
We have adopted the National Institute of Standards and Technology Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors and running simulated cybersecurity drills, including vulnerability scanning and penetration testing. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect and prevent cybersecurity risks and partner with an industry leading cybersecurity and managed security services provider to have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. The Cybersecurity Advisory Group, in accordance with our comprehensive incident response plan, escalates events, including to our executive leadership team, legal team and board of directors, as relevant, according to pre-defined criteria.
If there is a cybersecurity incident, we may suffer interruptions in service, loss of assets or data, or reduced functionality. Many of our systems are not redundant, and our disaster recovery planning does not address every potential outcome of a cybersecurity incident. Security breaches of our systems that results in the loss, disclosure, misappropriation of or access to the personal data (including credit card and other financial information) of our guests, prospective guests, vendors or employees could result in governmental investigations, civil liability, regulatory penalties under laws protecting the privacy of personal data, legal claims or proceedings (such as class actions), the inability to accept credit cards as a form of payment, business interruptions, damages to intangible property or loss of consumer confidence, any of which could adversely affect our business, financial condition and results of operations. Although we take steps to ensure our systems and software are secure, it is possible that a cyber attack could result in the loss or compromise of critical data. An actual or perceived cybersecurity incident could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
We rely on our technology infrastructure and information systems to interact with our guests, sell our services, utilize our data, support and grow our customer base, and bill, collect and make payments (including processing credit card information). Our technology infrastructure and information systems also support our onboard and onshore operations, as well as our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed system and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, phishing attacks, the introduction of malicious computer viruses, malware, ransomware, falsification of banking and other information, insider risk or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded. We expect that the sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. Our board of directors has direct oversight of our management of cybersecurity risks under the direction and supervision of our Executive Vice President, Head of Business Development. Our board of directors receives a comprehensive update on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant.
We have implemented processes to assess, identify and manage cybersecurity risks, including potentially material risks, related to our internal information systems. For example, we established a Cybersecurity Advisory Group, which meets regularly and reports to our Executive Vice President, Head of Business Development. This advisory group is comprised of (1) members of our technology and cybersecurity teams that report to our Executive Vice President, Head of Business Development, some of which have over 15 years of technology and security leadership managing technology and security teams in the travel industry, and (2) officers from our external cybersecurity partner and advisor. Our cybersecurity and technology team leaders have principal responsibility for managing the cybersecurity team, assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for our board of directors.
The Cybersecurity Advisory Group oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks, and regularly collaborates with industry-leading security partners and professionals with extensive experience and expertise in cybersecurity and risk management. In addition, the Cybersecurity Advisory Group develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive
incident response plans, oversees the cybersecurity risks posed by third-party vendors and provides regular updates on cybersecurity-related matters to our Executive Vice President, Head of Business Development and our board of directors.
In addition, we engage subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify and manage potential and actual cybersecurity threats, to actively monitor our systems internally and to provide forensic assistance to facilitate system recovery in the case of an incident. Our cybersecurity team oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any.
We have adopted the National Institute of Standards and Technology Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors and running simulated cybersecurity drills, including vulnerability scanning and penetration testing. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect and prevent cybersecurity risks and partner with an industry leading cybersecurity and managed security services provider to have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. The Cybersecurity Advisory Group, in accordance with our comprehensive incident response plan, escalates events, including to our executive leadership team, legal team and board of directors, as relevant, according to pre-defined criteria.
If there is a cybersecurity incident, we may suffer interruptions in service, loss of assets or data, or reduced functionality. Many of our systems are not redundant, and our disaster recovery planning does not address every potential outcome of a cybersecurity incident. Security breaches of our systems that results in the loss, disclosure, misappropriation of or access to the personal data (including credit card and other financial information) of our guests, prospective guests, vendors or employees could result in governmental investigations, civil liability, regulatory penalties under laws protecting the privacy of personal data, legal claims or proceedings (such as class actions), the inability to accept credit cards as a form of payment, business interruptions, damages to intangible property or loss of consumer confidence, any of which could adversely affect our business, financial condition and results of operations. Although we take steps to ensure our systems and software are secure, it is possible that a cyber attack could result in the loss or compromise of critical data. An actual or perceived cybersecurity incident could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors has direct oversight of our management of cybersecurity risks under the direction and supervision of our Executive Vice President, Head of Business Development.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors receives a comprehensive update on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant.
|Cybersecurity Risk Role of Management [Text Block]
|
We have implemented processes to assess, identify and manage cybersecurity risks, including potentially material risks, related to our internal information systems. For example, we established a Cybersecurity Advisory Group, which meets regularly and reports to our Executive Vice President, Head of Business Development. This advisory group is comprised of (1) members of our technology and cybersecurity teams that report to our Executive Vice President, Head of Business Development, some of which have over 15 years of technology and security leadership managing technology and security teams in the travel industry, and (2) officers from our external cybersecurity partner and advisor. Our cybersecurity and technology team leaders have principal responsibility for managing the cybersecurity team, assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for our board of directors.
The Cybersecurity Advisory Group oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks, and regularly collaborates with industry-leading security partners and professionals with extensive experience and expertise in cybersecurity and risk management. In addition, the Cybersecurity Advisory Group develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive
incident response plans, oversees the cybersecurity risks posed by third-party vendors and provides regular updates on cybersecurity-related matters to our Executive Vice President, Head of Business Development and our board of directors.
In addition, we engage subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify and manage potential and actual cybersecurity threats, to actively monitor our systems internally and to provide forensic assistance to facilitate system recovery in the case of an incident. Our cybersecurity team oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any.
We have adopted the National Institute of Standards and Technology Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors and running simulated cybersecurity drills, including vulnerability scanning and penetration testing. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect and prevent cybersecurity risks and partner with an industry leading cybersecurity and managed security services provider to have a security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. The Cybersecurity Advisory Group, in accordance with our comprehensive incident response plan, escalates events, including to our executive leadership team, legal team and board of directors, as relevant, according to pre-defined criteria.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Cybersecurity Advisory Group, which meets regularly and reports to our Executive Vice President, Head of Business Development. This advisory group is comprised of (1) members of our technology and cybersecurity teams that report to our Executive Vice President, Head of Business Development
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|some of which have over 15 years of technology and security leadership managing technology and security teams in the travel industry, and (2) officers from our external cybersecurity partner and advisor. Our cybersecurity and technology team leaders have principal responsibility for managing the cybersecurity team, assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for our board of directors.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Cybersecurity Advisory Group oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks, and regularly collaborates with industry-leading security partners and professionals with extensive experience and expertise in cybersecurity and risk management. In addition, the Cybersecurity Advisory Group develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensiveincident response plans, oversees the cybersecurity risks posed by third-party vendors
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef