5. IT RISK MANAGEMENT
& CYBERSECURITY

IT Risk Management

Despegar has been operating without any data privacy or security breach for more than six years.

This is a testament to the reliability of our technology. We also carefully monitor the performance of the systems we have in place and build awareness of the broader implications that these issues may have across the organization.

5.1 IT Risk Management Policy

ACTION STEPS TO ENSURE SECURITY:

• Penetration tests and vulnerability scans.

• Annual cybersecurity training for all Despegar employees.

Despegar developed a formal IT Risk Policy in 2020 which will be put in place throughout the organization in 2021-more details on which follow.

Despegar developed a methodology to identify, analyze and evaluate Information Security Risks which could potentially affect those technological assets critical to the Company’s business.

IT Risk Management Policy - Key Roles and Responsibilities

Capturing, evaluating and managing risk requires participation by those individuals and teams associated with the following functions:

01

The Risk Identifier
Despegar employees and third parties detect and report a potential risk. Once said risk is identified, the Governance, Risk & Compliance (GRC) team is contacted to define the risk and potential scope.

02

The Governance, Risk & Compliance Team
The GRC department, part of Information Security, is responsible for managing IT Risks and related processes. GRC is charged with the following tasks:

• define the risk owner
• build a case around the risk detected
• carry out the risk assessment
• present the case to the IT Risk Management Committee

03

The Risk Owner
The risk owner owns the affected asset and is responsible for reviewing the risk with the person who identified it.

04

IT Risk Management Committee
A Risk Management Committee will be established to approve the risk detection strategy. Said committee will be comprised of the following Despegar team members:

• CTO
• CISO
• GRC leader and / or manager

5.2 Cybersecurity

We protect our clients’ data based on industry best practice, including data encryption, privacy policies, perimeter protection, secure development techniques and security testing. We also minimize exposure of our clients’ data even within our internal processes; our employees often work with anonymized client data.

We also provide Despegar employees with data security and user privacy training to protect confidential information. Further, we conduct internal and external security audits and vulnerability assessments of our systems to ensure our systems are secured at all times.

Despegar has a proven track record of cyber security and data protection. We’ve detected no security breaches or cyberattacks since 2014 due to our IT Security Teams’ unwavering commitment to protecting user information across our operations.