ESSENTIAL PROPERTIES REALTY TRUST, INC. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

ESSENTIAL PROPERTIES REALTY TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:45:19 EST.

Filings

10-K filed on 2024-02-14

ESSENTIAL PROPERTIES REALTY TRUST, INC. filed an 10-K at 2024-02-14 16:45:19 EST
Accession Number: 0001728951-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cyber criminals are becoming more sophisticated and effective every day, and all companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing our systems and data a top priority. Our Board and our management are actively involved in our overall enterprise risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, procedures and processes for assessing, identifying, and managing material risks from cybersecurity threats. There can be no guarantee that our policies, procedures and processes will be properly followed in every instance or that those policies, procedures and processes will be effective. We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we can provide no assurance that there will not be incidents in the future or that they will not materially affect us. For more information about risks relating to cybersecurity matters see Item 1A. Risk-Factors General Risk Factors We may be vulnerable to security breaches or cyber attacks which could disrupt our operations and have a material adverse effect on our financial condition and operating results. Risk Management and Strategy Our policies, procedures and processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall enterprise risk management program. Our cybersecurity program in particular focuses on the following key areas: Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Personnel primarily responsible for security, risk and compliance matters meet periodically to develop strategies for preserving the confidentiality, integrity and availability of Company and tenant information, identifying, preventing and mitigating cybersecurity threats, and responding to any cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of material cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. Risk Assessment At least annually, we, with the assistance of an external cybersecurity consultant, conduct a cybersecurity risk assessment that takes into account information from internal personnel, known potential information security vulnerabilities and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, its Nominating and Corporate Governance Committee, and members of management. Technical Safeguards We periodically assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are periodically evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We have established comprehensive incident response and recovery plans and continue to periodically test and evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our employees, management and the Board on our response to a cybersecurity incident. 35 Third-Party Risk Management We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of engagement, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties, and investigate security incidents that have impacted our third-party providers, as appropriate. Education and Awareness Each of our employees is required to comply with our cybersecurity policies. We regularly remind employees of the importance of handling and protecting our data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. External Assessments Our cybersecurity policies and procedures are periodically assessed by our external cybersecurity consultant. These assessments include a variety of activities including information security maturity assessments, penetration tests, and independent reviews of our information security control environment and operating effectiveness. The results of significant assessments are reported to management, the Board and its Nominating and Corporate Governance Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. Governance Board Oversight Our Board, in coordination with its Nominating and Corporate Governance Committee, oversees our management of cybersecurity risk. They receive periodic reports from management and our external cybersecurity consultant about the identification, prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Nominating and Corporate Governance Committee directly oversees our cybersecurity program. The Nominating and Corporate Governance Committee receives periodic updates from management and our external cybersecurity consultant on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments, and relevant internal and industry cybersecurity incidents. Management s Role Our chief financial officer ( CFO ) has primary responsibility for assessing and managing material risks from cybersecurity threats. The CFO meets periodically with our external cybersecurity consultant to review security performance metrics and identify security risks. The CFO and our external cybersecurity consultant also consider and make recommendations on security policies and procedures, security service requirements and risk mitigation strategies to the Nominating and Corporate Governance Committee.

Company Information