XML 64 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
The Cyber Risk Management Policy (the "Policy") establishes the framework for our cybersecurity risk management and governance. Our security teams operationalize the Policy across the Company and conduct cyber risk identification, assessment, management, and reporting. Our privacy teams are responsible for identifying, assessing, managing, and reporting on data protection risks. We leverage the National Institute of Standards and Technology (NIST) frameworks for cybersecurity and privacy. We annually measure our security and privacy program maturity against the NIST frameworks, and engage a third-party every other year to assess the current state against these frameworks. The results of these assessments are discussed with the Board and the Cybersecurity Subcommittee of the Audit Committee.

As part of the Company's risk management strategy, we require that all employees complete regular data security and privacy trainings, and conduct phishing tests and specialized training such as secure coding training for our developers.
Our security teams have established procedures for identifying, assessing, and managing, cybersecurity incidents. A cross-functional working group of security, privacy, and legal personnel review potentially significant incidents. If an incident could be deemed material, it is escalated, and we consult with outside counsel as appropriate.

Our internal audit function performs its own cybersecurity and privacy audits and reviews certain related practices as part of their assessment of our internal control over financial reporting. From time to time we have taken steps to improve our practices and remedy deficiencies that have been identified. Our enterprise-wide information security program is also independently assessed every other year by a third party as part of our enterprise risk management, and the Cybersecurity Subcommittee reviews the findings.

We rely on certain third-party computer systems and third-party service providers, including global distribution systems ("GDSs") and computerized central travel reservation systems in connection with providing some of our services. We also depend upon various third parties to process payments for certain transactions. These third-party business partners, service providers, and consultants need to access our customer and other data, and connect to our computer networks. We define confidentiality, security, and privacy requirements through our contracting processes and perform third-party cyber risk assessments to monitor such third parties as needed.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Identifying, assessing, and managing cybersecurity risk is generally integrated into our overall risk management processes. The Company's internal audit function, with primary oversight by the Audit Committee, assesses key risks facing the organization, which are reviewed and discussed by the Company's management-level risk committee (a multi-disciplinary committee including representation from senior management in the finance, internal audit, and legal functions, among others). The risk committee is tasked with ensuring risks, including those related to cybersecurity, are managed and aligning strategic objectives with an appropriate level of risk tolerance.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Board and Audit Committee are responsible for oversight related to cybersecurity, privacy, and data protection and security.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area. The cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the Company's cybersecurity and data protection risk exposures, including steps management has taken to assess and manage such exposures and their potential impact on the Company's business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and the Board.
Cybersecurity Risk Role of Management [Text Block] The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area. The cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the Company's cybersecurity and data protection risk exposures, including steps management has taken to assess and manage such exposures and their potential impact on the Company's business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and the Board.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
The individuals serving in the roles of chief security officer and chief privacy officer have enterprise-wide responsibility for assessing and managing cybersecurity, data protection and security, and privacy risks, respectively. These leaders collectively have over 25 years of relevant work experience in public companies and extensive industry expertise.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Cybersecurity Subcommittee of the Audit Committee oversees management's efforts and processes to identify, assess, and manage significant cybersecurity and privacy risks and regulatory developments in this area. The cybersecurity and privacy leaders meet with the Cybersecurity Subcommittee to discuss the Company's cybersecurity and data protection risk exposures, including steps management has taken to assess and manage such exposures and their potential impact on the Company's business, operations, and reputation. The Cybersecurity Subcommittee reports periodically on these matters to the Audit Committee and the Board.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true