STAG Industrial, Inc. 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

STAG Industrial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 16:13:53 EST.

Filings

10-K filed on 2024-02-13

STAG Industrial, Inc. filed an 10-K at 2024-02-13 16:13:53 EST
Accession Number: 0001479094-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Introduction We recognize the importance of maintaining the trust and confidence of our tenants, business partners and employees with respect to the integrity of our IT network and related systems. We seek to address cybersecurity risks and preserve the confidentiality, security and availability of the information collected and stored on our IT networks and related systems through a comprehensive approach focused on (i) identifying, evaluating and managing our cybersecurity risks, (ii) preventing or mitigating potential threats, and (iii) responding appropriately to security breaches, cyber-attacks, IT network failures and other incidents, if and when they occur. While risk management is primarily the responsibility of our senior management team, our board of directors plays a role in overseeing our cybersecurity risk management program. Our board of directors administers this oversight function directly and with support from its audit committee, which has been delegated the responsibility to evaluate our major financial risks, including our policies and practices to govern the process by which risk assessment and management is undertaken. As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially and adversely affected the Company (including our business strategy, results of operations or financial condition), nor are such threats reasonably likely to materially and adversely affect the same. For additional information regarding our cybersecurity risks, see Item 1.A. Risk Factors Other General Risks We face risks associated with system failures through security breaches or cyber-attacks, as well as other significant disruptions of our information technology ( IT ) networks and related systems above. Risk Management and Strategy Our cybersecurity risk management program is focused on the key areas below: Governance. In fulfilling its oversight responsibility, our board of directors receives regular reports from our senior management team on our cybersecurity risks and exposures, infrastructure and countermeasures, and other monitoring, testing and recovery systems. Collaborative Approach. We use a comprehensive, cross-departmental approach for identifying, evaluating, preventing and/or mitigating cybersecurity threats and incidents, and have implemented controls and procedures that 23 Table of Contents provide for the prompt escalation of significant cybersecurity incidents so that decisions regarding reporting and public disclosure of such incidents can be made in a timely manner. Technical Safeguards. We deploy technical safeguards intended to protect our IT networks and related systems from cybersecurity threats, including firewalls, intrusion prevention, detection and isolation systems, anti-virus and malware functionality, backup functionality. and access controls. These technical safeguards are regularly evaluated and improved through vulnerability assessments, network penetration testing and threat intelligence, including by third-party consultants, who also continually monitor our information security. Any significant developments related to our technical safeguards, including the results of any vulnerability assessments or network penetration testing, are reported to our board of directors, and we adjust our cybersecurity risk management policies and practices as necessary. Management of Third-Party Risks . We use a risk-based approach to evaluating cybersecurity risks presented by third parties, such as vendors, service providers, and external users of our IT networks and related systems, as well as risks related to our use of third-party systems that could adversely affect our business in the event of a cybersecurity incident centered on those systems. Education and Awareness. We provide regular, mandatory cybersecurity training for our employees to help them identify and avoid potential cybersecurity threats and understand our policies and guidelines related to our IT network and related systems. As part of this training program, we regularly test our employees for information security awareness, including through random electronic communications designed to simulate how a threat actor might attempt to compromise our IT network and related systems. Cybersecurity Insurance . We carry comprehensive cyber liability insurance coverage that covers us against claims related to certain first-party and third-party losses, including data restoration costs and crisis management expenses, subject to the policy s coverage conditions and limitations. Governance Our board of directors, together with the audit committee of our board of directors, oversees our cybersecurity risk management program. In addition, the audit committee is responsible for reviewing with management the effectiveness of our internal control structure and procedures for financial reporting systems, including, among other things, our internal controls designed to assess, identify, and manage material risks from cybersecurity threats. On regular basis, our board of directors receives a presentation on cybersecurity risks from our senior management team, which may, depending on relevance at the time of the report, address topics such as prevailing cybersecurity threats, vulnerability assessments and/or network integrity testing, infrastructure and practice updates, and other considerations applicable to our IT network and related systems and other third-party systems. Members of management work collaboratively to develop and implement policies, practices and procedures to protect our IT networks and related systems from cybersecurity threats and to respond appropriately and timely to any cybersecurity incidents. The members of management responsible for our cybersecurity risk management program include our Vice President Information Technology, our Chief Financial Officer, our General Counsel, our Chief Accounting Officer, our Head of Data, Analytics and Technology, and our Vice President Financial Reporting and Accounting. Through ongoing communications from employees in each of our Data, Analytics and Technology and Information Technology departments, such members of management monitor our assessment of material cybersecurity risks, our prevention and detection of cybersecurity threats, and, if a cybersecurity incident were to occur, our mitigation and remediation of such incident. We believe the members of our management team involved in assessing and managing material cybersecurity risks have the experience needed to perform their duties, including through education, certification, work experience or a combination thereof. For example, our Vice President Information Technology has approximately 25 years of IT experience in various roles, the majority of which has been at publicly-reporting real estate companies. In addition, the other members of our management team identified above have from 14 years to 29 years of work experience managing risks or control environments, including experience at the Company and other professional businesses, or, as third-party advisors, helping businesses manage risks or control environments. 24 Table of Contents

Company Information