GETTY REALTY CORP /MD/ 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

GETTY REALTY CORP /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 17:02:19 EST.

Filings

10-K filed on 2024-02-15

GETTY REALTY CORP /MD/ filed an 10-K at 2024-02-15 17:02:19 EST
Accession Number: 0000950170-24-015982

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes the implementation of a cybersecurity incident response plan. 23 We design and assess our program based on industry standards to align closely with information security frameworks and guidelines. This does not imply that we meet or are in compliance with any particular technical standards, specifications, or requirements, only that we use the frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. We utilize a commercially available third-party hosted cloud network environment with commercially available systems, software, tools and monitoring to provide security to protect its information and data and alert it to potential information security breaches. The third party engaged by us to oversee and host its network was engaged, in part, because of its experience with information security and data protection and products designed to manage against information and data security breaches. We conduct mandatory annual cybersecurity training for employees and have information security and data privacy policies and procedures in place applicable to our directors, officers, and employees. In 2022, we engaged an outside consultant to conduct a comprehensive cybersecurity assessment, the methodology for which was based on information security frameworks and guidelines such as the National Institute of Standards and Technology (NIST), Center for Information Security (CIS), and ISO27001. Management reviewed the results of the assessment with the Audit Committee and, throughout 2023, engaged with consultants, auditors, and other third parties to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. To date we had no cybersecurity incidents. For additional information, see Item 1A. Risk Factors - We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business. Additionally, our failure to comply with applicable privacy, data security or protection or cyber security laws could adversely affect our business. Management and Board Oversight Our Board of Directors actively considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity and other information technology risk to the Audit Committee. The Audit Committee is instrumental in overseeing the implementation of our cybersecurity risk management program by management. The Audit Committee receives detailed quarterly reports from management about our cybersecurity risks, and management provides timely updates to the Audit Committee about any significant cybersecurity incidents, as well as those with lesser impact potential if deemed appropriate to do so. The Audit Committee informs the full Board of Directors about its activities, including those related to cybersecurity. The full Board of Directors also receives briefings from management on our cybersecurity risk management program. Members of the Board of Directors are kept abreast of cybersecurity developments through presentations by our Chief Financial Officer or external experts as part of their ongoing education on issues impacting public companies. Our management team, including our Chief Financial Officer, and members of the Audit Committee play a pivotal role in assessing and managing material risks stemming from cybersecurity threats. The management team is primarily responsible for the oversight of our overall cybersecurity risk management program, and coordinates with our external cybersecurity consultants. Efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents are supervised by our management team. These efforts include briefings from internal security personnel, leveraging threat intelligence and information from governmental, public, and private sources, engagement with external consultants, and utilizing alerts and reports generated by our security tools within the IT environment.

Company Information