Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity

Cybersecurity governance

IHG’s Board of Directors is ultimately accountable for establishing a framework of prudent and effective controls, which enable risk to be assessed and managed. Management, including the Chief Information Security Officer (CISO) and our cybersecurity team, regularly update the Board on the company’s cybersecurity programmes, material risks and mitigation strategies and provide status and risk reports at least annually. The

Audit Committee reviews the appropriateness of IHG’s risk management and internal control framework to address risks and has allocated particular attention to cybersecurity and governance in the context of previous criminal, unauthorised access to the Group’s technology systems.

Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programmes. This is guided by periodic external third-party assessment of IHG’s cyber risks and the maturity of the cybersecurity programme. The cyber incident response framework uses defined playbooks, coordinating with external incident response groups and aligning with wider IHG crisis management and escalation protocols, including triggers for reporting to senior management, Board of Directors and external parties where required.

IHG’s CISO has overall responsibility for the Information Security strategy and the development and management of the associated programme. The CISO was hired by IHG in 2018 from Invesco, a global investment management company, where he built and ran the cybersecurity programme as CISO for more than 10 years. The CISO is supported by a dedicated, certified and experienced

in-house

team, complemented by outsourced groups for performing either highly repetitive or operational tasks or for very specialised skillsets such as penetration testing or cyber forensics.

The CISO receives reports from the team to enable the monitoring of the prevention, detection, mitigation, and remediation of cybersecurity incidents.

IHG employs several independent or third-party mechanisms to provide a level of assurance that the different information security capabilities are operating effectively and assessment of risk is also informed by observations arising from a variety of independent auditing either from IHG’s Internal Audit function or as part of regulatory compliance work performed including Sarbanes-Oxley, HIPAA, SWIFT,

SOC-1

and MLPS (China). As noted above, periodic external assessments are also conducted of the maturity of the cybersecurity programme, which are also reported to the

B

oard of

D

irectors.

Cybersecurity risk management

Cybersecurity is an integral part of IHG’s overall risk management and internal control framework. Our information security risk management programme follows the National Institute of Standards and Technology Cyber Security Framework and supports the identification of the systems, data, and other information assets that are considered most sensitive from a confidentiality perspective, or most critical from an availability perspective. These include guest data, credit card data,

pre-public

financial information, and revenue generating applications.

Standards, policies and procedures are in place to manage how personal data can be used and protected across IHG, including a requirement for participation by all employees in annual

e-learning

training on handling information responsibly.

The Information Security programme incorporates:

–	Engagement with leaders from other IHG business functions, including to identify and assess cybersecurity threats, and to act as point of contact for escalation of issues and incidents.

–	User awareness and colleague engagement, including communications to corporate and hotel teams on changing threats and phishing simulation exercises to raise risk awareness.

–	Maintenance of information risk management processes including a risk register and standard contract language.

–	Risk assessment of third parties based on access to IHG systems, data, and operational reliance using a combination of manual procedures, for example, completion of security questionnaires, and independent cyber risk scoring. Critical rated third parties are reviewed annually.

–	Security compliance to coordinate required tracking of compliance for applicable regulations and standards, including remediation of any regulatory and audit findings.

–	Security engineering and architecture to define, implement and maintain standards for the secure use of core technology platforms and solutions, including new technology solutions and potential business partners and acquisitions.

–	Assessment of the security of individual business applications and platforms, including good security hygiene within coding.

–	Vulnerability management for all technical components of infrastructure and core application platforms.

–	Identity and access management for global platforms and solutions, including privileged access management, and loyalty account members.

–	Cyber threat intelligence relationships with worldwide law enforcement and intelligence sharing organisations, profiling likely threat actors and methods, and providing insight on threat levels.

–	Security operations monitoring, triaging alerts to facilitate response and action within agreed service level agreements.

–	Cyber incident response using agreed and practised playbooks for security events, coordinating with external incident response groups and wider IHG crisis protocols, and deploying tabletop exercises to simulate scenarios and identify potential gaps in response.

–	Center of Excellence project management, continuous process improvement, tracking of key performance metrics, change management, and communications to internal, executive and external stakeholder groups.

In 2024 we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.

As we explained in our 6 and 29 September 2022 Stock Exchange Announcements, parts of our technology systems were subject to unauthorised activity, causing disruption to our booking channels and other applications. In line with our crisis management framework, teams across IHG came together to evaluate and address the incident, supported by external specialists. No evidence of unauthorised access to systems storing guest data was identified. The Board was engaged throughout the incident response.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity

Cybersecurity governance

IHG’s Board of Directors is ultimately accountable for establishing a framework of prudent and effective controls, which enable risk to be assessed and managed. Management, including the Chief Information Security Officer (CISO) and our cybersecurity team, regularly update the Board on the company’s cybersecurity programmes, material risks and mitigation strategies and provide status and risk reports at least annually. The

Audit Committee reviews the appropriateness of IHG’s risk management and internal control framework to address risks and has allocated particular attention to cybersecurity and governance in the context of previous criminal, unauthorised access to the Group’s technology systems.

Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programmes. This is guided by periodic external third-party assessment of IHG’s cyber risks and the maturity of the cybersecurity programme. The cyber incident response framework uses defined playbooks, coordinating with external incident response groups and aligning with wider IHG crisis management and escalation protocols, including triggers for reporting to senior management, Board of Directors and external parties where required.

IHG’s CISO has overall responsibility for the Information Security strategy and the development and management of the associated programme. The CISO was hired by IHG in 2018 from Invesco, a global investment management company, where he built and ran the cybersecurity programme as CISO for more than 10 years. The CISO is supported by a dedicated, certified and experienced

in-house

team, complemented by outsourced groups for performing either highly repetitive or operational tasks or for very specialised skillsets such as penetration testing or cyber forensics.

The CISO receives reports from the team to enable the monitoring of the prevention, detection, mitigation, and remediation of cybersecurity incidents.

IHG employs several independent or third-party mechanisms to provide a level of assurance that the different information security capabilities are operating effectively and assessment of risk is also informed by observations arising from a variety of independent auditing either from IHG’s Internal Audit function or as part of regulatory compliance work performed including Sarbanes-Oxley, HIPAA, SWIFT,

SOC-1

and MLPS (China). As noted above, periodic external assessments are also conducted of the maturity of the cybersecurity programme, which are also reported to the

B

oard of

D

irectors.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programmes.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true