Equity Commonwealth 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

Equity Commonwealth reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 16:12:48 EST.

Filings

10-K filed on 2024-02-13

Equity Commonwealth filed an 10-K at 2024-02-13 16:12:48 EST
Accession Number: 0000803649-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company maintains a cybersecurity program focused on preventing, identifying and mitigating cyber threats applicable to its business as an owner and operator of commercial office properties. Our Board oversees our cybersecurity program through its Audit Committee, which meets regularly with the Company s executive officers and senior personnel from the Company s IT department, which manages the program on a day-to-day basis. The Company s cybersecurity program is integrated into its overall risk management processes. Risk Management and Strategy The Company employs a number of cybersecurity measures intended to reduce the likelihood that cybersecurity incidents materialize, including: (i) employing a variety of reputable and recognized hardware, software and other security measures in the design and maintenance of our information technology and data security systems; (ii) conducting periodic testing and verification of information and data security systems, including engaging third-party assessors to perform penetration testing of our systems to identify vulnerabilities; (iii) confirming with our critical vendors whether they have had cyber breaches of their IT systems or otherwise involving Company information; (iv) verifying third-party IT system integrity through a review of System and Organization ( SOC ) audit review reports provided by certain of our vendors; and (v) providing onboarding and other periodic employee security awareness training relating to phishing and other scams, malware and various cyber-related risks. We have also engaged third-party vendors to assist with incident detection and monitoring and to implement and maintain other cybersecurity measures specific to our operations and portfolio properties. The Company has created and maintains processes that provide a playbook in the event of a cyber incident. These processes provide assessment and response tools designed to mitigate damage from attacks and integrate third-party digital forensics and legal providers and law enforcement in the Company s response plan. The Company also has instituted a variety of safeguards to counter ransomware threats. The Company has integrated its cybersecurity program into its overall risk management processes by instituting corporate measures and protocols that apply to ensure ongoing operations in the event of a disaster or major business disruption affecting the corporate headquarters, infrastructure or key personnel, as well as similar processes in case of a crisis-related event at our portfolio properties. Our employee guidelines also address employee computer usage, including a variety of restrictions and protocols intended to enhance cybersecurity and reduce the risk of a successful cyber-attack. Material Effects from Risks of Cybersecurity Threats We do not believe any risks from cybersecurity threats, including any past cybersecurity incidents, have materially affected the Company, including our business strategy, results of operations or financial condition. There can be no assurances, however, that we or our third-party service providers will not experience a future system disruption, attack or security breach that materially impacts the Company, our business strategy, results of operations or financial condition. For more information 20 refer to Item 1A. Risk Factors Risks Related to Our Business We rely on information technology in our operations, and any material failure, inadequacy or security failure of that technology could harm our business . Board of Trustees and Management Oversight Our Board of Trustees oversees our cybersecurity program and initiatives through its Audit Committee. The Audit Committee, in consultation with management, actively oversees and manages the Company s cybersecurity risk, including periodically reviewing our policies and procedures with respect to risk assessment and risk management. As part of its cybersecurity oversight role, the Audit Committee meets regularly with the Company s executive officers and senior IT personnel to discuss the Company s policies, procedures and other measures put in place to protect its business systems and information against cyber-related attacks and risks, as well as to discuss recent cyber and IT trends. Through the policies, plans, guidelines and processes the Company has implemented, any material cybersecurity incident would be reported to our executive officers as well as the Audit Committee and/or the Board. Cybersecurity Personnel Resources The Company s cybersecurity program is managed by our IT department, which is led by our SVP - Information Technology, who has a Master of Business Administration degree and a Master Certification in Cybersecurity from Colorado State University. Our IT department has more than 25 years of combined experience. The members of our IT department have experience with network and system security, backup and recovery strategies and software design and implementation. Areas of substantial experience also include IT audits and anti-phishing training, as well as server installation, configuration and administration.

Company Information