Topgolf Callaway Brands Corp. (“Topgolf Callaway Brands” or the “Company”) prioritizes the protection of data in its care and is committed to the ongoing enhancement of its cybersecurity and privacy capabilities, as discussed below.
Board Oversight
The Board of Directors of the Company (the “Board”) understands the importance of information technology, cybersecurity, and privacy. A majority of the members of the Board, one of which has a CERT Certificate in Cybersecurity Oversight from the Carnegie Mellon University Software Engineering Institute, have information security experience. The Company’s cybersecurity team, which includes the Senior Vice President of Global IT and the Senior Director of Global Information Security, updates the Audit Committee of the Board at least twice per year regarding IT and cybersecurity strategy and risks specific to the Company.
Compliance and Risk Mitigation Activities
The Company conducts annual Sarbanes Oxley 404 audits, maintains its compliance with the Payment Card Industry Data Security Standard (“PCI-DSS”), and engages an industry-leading, third-party audit firm to perform regular cybersecurity assessments using the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) for all of the Company’s global brands and subsidiaries, benchmarked against peers in the manufacturing, retail, and entertainment industries. The Company’s cybersecurity team works closely with the Company’s external auditors to prioritize and remediate findings from the NIST CSF assessments, and has consistently improved the Company’s NIST CSF cybersecurity score year-over-year since 2014.
The Company also engages with leading, third-party law, cybersecurity, consulting, and forensics firms to protect against information security incidents. This includes staying up to date on the cybersecurity threat landscape and high-profile risks, including but not limited to ransomware trends, nation-state activity, and insider threats, and taking proactive steps to address such threats by assessing and implementing appropriate cybersecurity tools and procedures on an ongoing basis. The Company also helps mitigate such risks by requiring employees at all global brands and subsidiaries to complete, on at least an annual basis, information security and privacy awareness trainings.
The Company has not experienced a significant information security incident in the last three years, and net expenses related to security incidents are immaterial relative to the Company’s total revenue. Furthermore, the Company has not been assessed with or paid out penalties or settlements over the last three years related to information security incidents.