NNN REIT, INC. 10-K Cybersecurity GRC - 2024-02-08

Page last updated on April 11, 2024

NNN REIT, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 08:33:54 EST.

Filings

10-K filed on 2024-02-08

NNN REIT, INC. filed an 10-K at 2024-02-08 08:33:54 EST
Accession Number: 0000950170-24-012540

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity With oversight from the Board of Directors, NNN’s management is responsible for managing all cyber risks and overseeing NNN’s security programs. Primary cybersecurity risk oversight has been delegated to the Audit Committee. The Senior Vice President of Information Technology (“SVP of IT”) oversees NNN’s security programs and its Incident Response Policy and Plan. The SVP of IT reports to the Chief Accounting and Technology Officer, and together, they have a combined industry knowledge for technology and information systems of over 40 years. The Audit Committee cybersecurity risk oversight role includes: (i) reviewing and approving technology security policies and internal cybersecurity controls, (ii) monitoring cybersecurity and information security exposures, and (iii) confirming management has adequate procedures in place to not only control and limit these exposures but also to timely respond to any cyber incident. NNN’s cybersecurity risk profile and cyber security program status, including results of any third-party evaluations are reported to the Audit Committee by the Chief Accounting and Technology Officer. NNN’s information systems process and store critical and sensitive NNN data. Management and the Board of Directors are committed to protecting NNN systems and data through layered perimeter, interrogation and access controls, as well as following a constant process of researching, assessing, patching and remediating. Processes to assess, identify, isolate, remediate and manage cybersecurity risks have been integrated into NNN’s overall risk management system. Below are examples of actions NNN takes to protect NNN’s information systems and data from cybersecurity risk: Align systems and processes with best practices for securing NNN information systems and data; Perform continuous systems monitoring and tactical measures for impending viruses, malware, tampering, exploits and other cyber threats; Deploy systems tools to detect, prevent and neutralize cyber threats; Engage independent third-party consultants to assist in evaluating cybersecurity risks and response profile and plans; Identify, oversee and evaluate the risks associated with third-party service providers and consultants; Continuously educate and provide procedural training to all associates and the Board of Directors regarding cybersecurity awareness and risks such as enterprise security, malware, data protection best practices, anti-phishing exercises and updates with respect to other implemented information security measures; Periodically measure the effectiveness of associate training; Cybersecurity risk management is periodically reviewed with the Enterprise Risk Management Team; Perform ongoing internal and external penetration testing and vulnerability assessments with a high priority for timely remediation; and Establish reporting deadlines and hierarchies so that data regarding an incident or possible incident is communicated in a timely manner to NNN’s management, to the Audit Committee of the Board of Directors, and if, appropriate or required by law, to the Commission. Management is aware that preventive measures cannot prevent all cyber incidents. The SVP of IT has direct oversight over the Company’s security programs on a daily basis. When a cyber incident occurs, NNN’s actions are guided by an incident response plan decision tree to (i) detect, contain and eradicate any threats, (ii) assess materiality, (iii) notify internal parties and the Audit Committee Chairperson, (iv) recover any compromised NNN data and information systems, (v) limit impacts of any such incident on NNN’s operations, and (vi) report any such incident as require by law or as otherwise necessary. For a detailed discussion of risks from cybersecurity threats, please see Item 1A. Risk Factors. 23

Company Information