REALTY INCOME CORP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

REALTY INCOME CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:16:06 EST.

Filings

10-K filed on 2024-02-21

REALTY INCOME CORP filed an 10-K at 2024-02-21 16:16:06 EST
Accession Number: 0000726728-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity We maintain a cyber risk management program to identify, assess, manage, mitigate, and respond to cybersecurity threats. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. The program is integrated within our enterprise risk management system and addresses our IT networks and related systems that are essential to the operation of our business. We maintain controls and procedures, including third-party oversight procedures, and cybersecurity training for all employees on an annual basis, which are designed to ensure prompt escalation of cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management in a timely manner. We work with third parties that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms. Our cybersecurity program and designated incident response team are comprised of key employees, and third-party information security experts from leading cybersecurity incident response firms, who are responsible for efficiently and effectively responding to cybersecurity incidents. We have established comprehensive incident response and recovery plans and continue to evaluate the effectiveness of those plans. Our Cybersecurity Risk Committee, chaired by our Head of IT, and comprised of functional leaders, provides oversight, direction and guidance related to the cybersecurity risk management decisions. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors We rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business. 22 Table of Contents Cybersecurity Governance The Board of Directors considers cybersecurity risk as part of its risk oversight function, and the Audit Committee of our Board oversees Realty Income’s cybersecurity and other information technology risk exposures and the steps taken by management to monitor and control such exposures. Our cybersecurity risk profile and cybersecurity program status are reported to the Audit Committee on a quarterly basis. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity, and the full Board also receives briefings from management on our cybersecurity risk management program, as appropriate. Our management team, including the Cybersecurity Risk Committee chaired by our Head of IT and comprised of functional leaders across the Company, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team has extensive experience implementing and operating cybersecurity technologies, policies, and procedures throughout various industries and includes a Certified Information Systems Security Professional with ISC2. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information