Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Abstract] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Codere Online has developed an information security program to assess, identify, and manage material risks from cybersecurity threats. This program is integrated into Codere Online’s overall enterprise risk management system (“ERM”) as a key risk. If the ERM process identifies a heightened cybersecurity risk, the appropriate team is tasked with developing risk mitigation strategies and plans, which are monitored to completion.
Codere Online relies on its parent company, Codere Group, to provide services including, among other things, technical assistance and technology, IT operations, security and cybersecurity, and systems, pursuant to the New Platform and Technology Services Agreement. Codere Apuestas Espana, S.L.U. has obtained an ISO/IEC 27001:2022 certification, which expires on June 22, 2028, for the information systems that provide support to the provision of land-based fixed-odds betting services and online gaming services to other entities of the Codere Group. The certification was obtained from an independent, external consultant. Codere Group maintains a cyber incident management procedure which defines how it would support Codere Online in the event of an incident. In addition, Codere Group utilizes the assistance of third-party consultants in connection with its information security program to help identify threats and define strategies for addressing the same. Codere Online may also hire such third-party consultants on an ad hoc basis, as necessary.
Codere Group has an Information Security and Technology Risk Management Team (ISTRM Team) that supports Codere Online in addressing information technology risks, including cybersecurity risks. Codere Online’s information security program includes policies and procedures designed to identify how information security measures and controls are developed, implemented, and maintained, including an Information Security Policy, Acceptable Use of Information Assets Policy, and Business Continuity Management Policy. An internal cybersecurity risk assessment is conducted annually by Codere Group which includes risks to Codere Online and is used by management to consider implementing and augmenting cybersecurity controls where feasible and appropriate to mitigate cybersecurity risk exposure.
Codere Online utilizes multiple training methodologies to ensure employee awareness of cybersecurity risks and practices. Employees receive information from security awareness campaigns. Training also includes email phishing campaigns which can prompt further training depending on the results. Codere Online has a written Personal Data Breach Management Procedure which identifies a cross-functional Computer Security Incident Response Team (CSIRT Team) to address potential cybersecurity incidents.
Codere Online engages with a number of service providers in connection with normal business operations. Codere Online uses various processes to address cybersecurity threats related to third-party service providers, including, where appropriate, pre-acquisition diligence questionnaires, imposition of contractual data security and privacy obligations, and ad hoc monitoring activities.
Although from time to time, Codere Online experiences cyber incidents, Codere Online is not aware of any risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect Codere Online, including strategies, results of operations, or financial condition. There can be no guarantee that (i) Codere Online’s policies and procedures will be properly followed in every instance or that those policies and procedures will be effective or (ii) that there will not be incidents in the future or that they will not materially affect Codere Online, including Codere Online’s strategy, results of operations, or financial condition.
For more information about cybersecurity risks, see the risk factor titled “Codere Online’s network, information technology systems and accounting systems are subject to error, damage and interruption and are vulnerable to hacker intrusion, cyberattacks and system breaches” in Item 3.D of this annual report. |
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Codere Online has developed an information security program to assess, identify, and manage material risks from cybersecurity threats. This program is integrated into Codere Online’s overall enterprise risk management system (“ERM”) as a key risk. If the ERM process identifies a heightened cybersecurity risk, the appropriate team is tasked with developing risk mitigation strategies and plans, which are monitored to completion. |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | true |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Governance
Cybersecurity is important to Codere Online’s risk management processes. As mentioned above, the ISTRM Team oversees and addresses risks from cybersecurity threats. Imminent threats are handled by the CSIRT Team. These individuals are informed about, and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of Codere Online’s incident response plan. The incident response plan provides for notification to management, the data protection team and, where applicable, the Board of Directors, as appropriate, of any actual or suspected significant cybersecurity incidents and requires regular updates to these parties during an investigation. Members of the ISTRM team and the Manager of IT Service Management meet periodically, but at least quarterly, with Codere Online senior executives, including the Chief Information Security Officer, to review Codere Online’s internal process, policies, and practices, for assessing and managing material risks from cybersecurity threats.
The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats. The Audit Committee receives reports from management about the prevention, detection, mitigation, and remediation of cybersecurity risks. The Audit Committee reports to the full board periodically, and at least annually, on its review of cybersecurity controls, policies, practices and risks. Effective in 2024, as part of the Audit Committee’s quarterly meetings with management, the Audit Committee will receive briefings from the Manager of IT Service Management and, where appropriate, other individuals with responsibility for cybersecurity, to discuss cybersecurity risks and threats. The Audit Committee will review important trends and developments in cybersecurity risks, information security controls and proposed controls, and related legal requirements and their effect on Codere Online.
Oversight of the Information Security Policy and the Acceptable Use of Information Assets Policy is handled by Information Security Management, which is led by the Manager of IT Service Management. The Manager of IT Service Management at Codere Online has more than 25 years of experience in consulting and IT services and is experienced with the assessment, definition, and implementation of IT processes and metrics, and adaptation and application of frameworks and standards, balanced score cards, and audits. The Manager of IT Service Management is supported by the Director of Information Security and Technology Risk – Chief Information Security Officer at Codere Group. She has more than 24 years of experience as head of cybersecurity in large organizations in the financial and telecommunications sector, where she has been responsible for the design and implementation of information security and IT services. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | the ISTRM Team oversees and addresses risks from cybersecurity threats. Imminent threats are handled by the CSIRT Team. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | These individuals are informed about, and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of Codere Online’s incident response plan. |
| Cybersecurity Risk Role of Management [Text Block] | The incident response plan provides for notification to management, the data protection team and, where applicable, the Board of Directors, as appropriate, of any actual or suspected significant cybersecurity incidents and requires regular updates to these parties during an investigation. Members of the ISTRM team and the Manager of IT Service Management meet periodically, but at least quarterly, with Codere Online senior executives, including the Chief Information Security Officer, to review Codere Online’s internal process, policies, and practices, for assessing and managing material risks from cybersecurity threats. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Audit Committee receives reports from management about the prevention, detection, mitigation, and remediation of cybersecurity risks. The Audit Committee reports to the full board periodically, and at least annually, on its review of cybersecurity controls, policies, practices and risks. Effective in 2024, as part of the Audit Committee’s quarterly meetings with management, the Audit Committee will receive briefings from the Manager of IT Service Management and, where appropriate, other individuals with responsibility for cybersecurity, to discuss cybersecurity risks and threats. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Oversight of the Information Security Policy and the Acceptable Use of Information Assets Policy is handled by Information Security Management, which is led by the Manager of IT Service Management. The Manager of IT Service Management at Codere Online has more than 25 years of experience in consulting and IT services and is experienced with the assessment, definition, and implementation of IT processes and metrics, and adaptation and application of frameworks and standards, balanced score cards, and audits. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Manager of IT Service Management is supported by the Director of Information Security and Technology Risk – Chief Information Security Officer at Codere Group. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |