JBG SMITH Properties 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

JBG SMITH Properties reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:17:56 EST.

Filings

10-K filed on 2024-02-20

JBG SMITH Properties filed an 10-K at 2024-02-20 16:17:56 EST
Accession Number: 0001558370-24-001366

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Strategy and Risk Management To mitigate cybersecurity risks we have adopted a process of continuous improvement and adaptation to the ever-changing threat landscape. As part of this process, we engage with industry-leading managed security service provider(s) to supplement our efforts in preventing, identifying and responding to cybersecurity threats. Our information technology operations, information security processes and CIRP are generally aligned with the National Institute of Standards and Technology s framework. We have adopted a cloud-first strategy which is a foundational element to our overall cybersecurity posture. For essential systems, we utilize SaaS-based software partners who annually conduct Statement on Standards for Attestation Engagements SOC 1 or SOC 2 assessments, as appropriate, based on functional use within our company. Based on the nature of services provided by our technology partners, our third-party risk management process may include: 35 Table of Contents Reviewing cybersecurity practices of such provider. Contractually obligating the provider to share detailed results of cybersecurity assessments on an annual basis. Contractually obligating the provider to make us aware of significant cybersecurity related incidents. Coordinating independent security assessments with the provider utilizing our own resources. Cybersecurity Risk Management We have adopted a cybersecurity risk management process that is designed to identify and mitigate potential cybersecurity risks. On an annual basis, we work with credible, third-party cybersecurity experts to assess our ability to prevent, identify, and respond to cybersecurity threats through internal and external penetration tests and monthly vulnerability scans. We also test our organizational cybersecurity capabilities through facilitated tabletop exercises which simulate real life scenarios. Together with the findings of the SOC 1 and 2 assessments, and our threat intelligence and monitoring activities, these exercises, tests and scans help us identify potential cybersecurity risks. We seek to mitigate cybersecurity risks we identify through a variety of methods, including: When practical and necessary, we patch vulnerabilities that are identified. We deploy endpoint detection and monitoring technologies to identify potential cybersecurity incidents. We back up our systems and data to mitigate the impact of a cybersecurity event that would impact our ability to operate or result in the loss of data. We partner with strategic managed cybersecurity service providers to supplement the capabilities of our internal team. We update and refine our CIRP in response to identified risks. To manage the third-party cybersecurity risk introduced by our cloud-first strategy, we have implemented a due diligence process for new software partners as well as an annual review process for essential SaaS system partners. We conduct cybersecurity awareness training annually and simulated phishing campaigns no less than quarterly to test and educate our employees. Notwithstanding the steps we take to address cybersecurity, we may not be successful in preventing or mitigating all cybersecurity incidents or threats. See Item 1A. Risk Factors - Risks Related to Our Business and Operations The occurrence of cyber incidents, or a deficiency in our cybersecurity, or the cybersecurity of our service providers, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, regulatory enforcement and other legal proceedings, and/or damage to our business relationships, all of which could negatively impact our financial results for a discussion of cybersecurity risks . To date, we have not experienced any material cybersecurity incidents. Governance Our Chief Information & Technology Officer along with our Vice President of Cybersecurity & Cloud Infrastructure provide principal oversight and guidance of our cybersecurity risk management strategy, programs and processes. The Chief Information & Technology Officer has over 20 years of experience in information technology in the real estate sector, leading organizations through strategic technology and process improvement initiatives. The Vice President of Cybersecurity & Cloud Infrastructure has over 15 years of extensive experience in cybersecurity and information technology. They are supported in their efforts by a team of technical experts who have had formal training and possess relevant industry related experience in addition to managed cybersecurity service providers who specialize in preventing, identifying, and responding to cybersecurity threats. The Audit Committee of our Board of Trustees provides board-level governance and oversight regarding cybersecurity matters. Management meets with the Audit Committee periodically to discuss cybersecurity strategy, risk, trends, and internal personnel and qualifications. As part of our annual enterprise risk assessment, technology and cyber risks are standing risk factors which are ranked and reviewed by management. 36 Table of Contents In the event of a cyberattack, we engage our CIRP, which provides a framework of processes and procedures related to identifying, categorizing, responding, containing, analyzing, and eradicating cybersecurity threats to mitigate downtime and promptly restore systems and services. Management has responsibility for reporting cybersecurity incidents to the Audit Committee as they occur, if consistent with our CIRP. The CIRP also addresses management’s responsibility, with Audit Committee oversight, with respect to any reporting or disclosure determinations related to a given cybersecurity incident and provides for Audit Committee and Board of Trustee briefings as appropriate.

Company Information