Page last updated on April 11, 2024
Alpine Income Property Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 16:21:23 EST.
Filings
10-K filed on 2024-02-08
Alpine Income Property Trust, Inc. filed an 10-K at 2024-02-08 16:21:23 EST
Accession Number: 0001558370-24-000899
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY The Company has no employees and is externally managed by our Manager, which is a wholly owned subsidiary of CTO, a publicly traded diversified REIT. Pursuant to the terms of the Management Agreement, our Manager manages, operates and administers our day-to-day operations, business and affairs, subject to the direction and supervision of the Board. The Board recognizes the critical importance of maintaining the trust and confidence of our tenants and business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company s overall approach to risk management and oversight. As an externally managed company, the Company relies on CTO s information systems in connection with the Company s day-to-day operations. Consequently, the Company also relies on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by CTO. All of the Company s executive officers are executive officers and employees of CTO, and one of the Company s officers (John P. Albright) is also a member of CTO s board of directors. 49 Table of Contents CTO s cybersecurity processes and practices are integrated into CTO s risk management and oversight program. In general, CTO seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that CTO collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. CTO utilizes a third-party managed IT service provider (the MSP ) to provide comprehensive cybersecurity services for the Company, including threat detection and response, vulnerability assessment and monitoring, security incident response and recovery, and cybersecurity education and awareness. The Company has adopted a written information security incident response plan, which, as discussed below, is overseen by the Audit Committee of the Board (the Audit Committee ). Risk Management and Strategy The Company s cybersecurity program is focused on the following key areas: Governance: As discussed in more detail under Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management will be supported by the Audit Committee, which regularly interacts with the Company s management team. Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. Technical Safeguards: CTO and the MSP deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: CTO and the MSP have established a written information security incident response plan that addresses the response to a cybersecurity incident, which plan will be tested and evaluated on a regular basis. Third-Party Risk Management: CTO and the MSP maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of CTO s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: CTO, through the MSP, provides regular training for personnel regarding cybersecurity threats as a means to equip personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. CTO and the MSP will engage in the periodic assessment and testing of CTO s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts will include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of CTO s cybersecurity measures and planning. The MSP regularly assesses CTO s cybersecurity measures, including information security maturity, and regularly reviews CTO s information security control environment and operating effectiveness. The results of such assessments, audits and reviews will be reported to the Audit Committee and the Board, and CTO will adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, will oversee the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company s management team the Company s privacy and cybersecurity risk exposures, including: the potential impact of those exposures on the Company s business, financial results, operations and reputation; 50 Table of Contents the steps management has taken to monitor and mitigate such exposures; the Company s information governance policies and programs; and major legislative and regulatory developments that could materially impact the Company s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. As noted above, the Company relies on CTO s information systems and the MSP in connection with the Company s day-to-day operations. Consequently, the Company also relies on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by CTO. All of the Company s executive officers are executive officers and employees of CTO, and one of the Company s officers (John P. Albright) is also a member of CTO s board of directors. CTO s President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary work collaboratively with the MSP to implement a program designed to protect CTO s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with written information security incident response plans adopted by CTO and the Company. These members of CTO s management team, together with the MSP, will monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. CTO s President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary each hold degrees in their respective fields, and have an average of over 20 years of experience managing risks at CTO, the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management will be supported by the Audit Committee, which regularly interacts with the Company s management team. Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. Technical Safeguards: CTO and the MSP deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: CTO and the MSP have established a written information security incident response plan that addresses the response to a cybersecurity incident, which plan will be tested and evaluated on a regular basis. Third-Party Risk Management: CTO and the MSP maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of CTO s systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: CTO, through the MSP, provides regular training for personnel regarding cybersecurity threats as a means to equip personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. CTO and the MSP will engage in the periodic assessment and testing of CTO s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts will include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of CTO s cybersecurity measures and planning. The MSP regularly assesses CTO s cybersecurity measures, including information security maturity, and regularly reviews CTO s information security control environment and operating effectiveness. The results of such assessments, audits and reviews will be reported to the Audit Committee and the Board, and CTO will adjust its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, will oversee the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company s management team the Company s privacy and cybersecurity risk exposures, including: the potential impact of those exposures on the Company s business, financial results, operations and reputation; 50 Table of Contents the steps management has taken to monitor and mitigate such exposures; the Company s information governance policies and programs; and major legislative and regulatory developments that could materially impact the Company s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. As noted above, the Company relies on CTO s information systems and the MSP in connection with the Company s day-to-day operations. Consequently, the Company also relies on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by CTO. All of the Company s executive officers are executive officers and employees of CTO, and one of the Company s officers (John P. Albright) is also a member of CTO s board of directors. CTO s President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary work collaboratively with the MSP to implement a program designed to protect CTO s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with written information security incident response plans adopted by CTO and the Company. These members of CTO s management team, together with the MSP, will monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. CTO s President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary each hold degrees in their respective fields, and have an average of over 20 years of experience managing risks at CTO, the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
Company Information
| Name | Alpine Income Property Trust, Inc. |
| CIK | 0001786117 |
| SIC Description | Real Estate Investment Trusts |
| Ticker | PINE - NYSE |
| Website | |
| Category | Emerging growth company |
| Fiscal Year End | December 30 |