Apple Hospitality REIT, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Apple Hospitality REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:16:23 EST.

Filings

10-K filed on 2024-02-22

Apple Hospitality REIT, Inc. filed an 10-K at 2024-02-22 16:16:23 EST
Accession Number: 0000950170-24-018793

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity To effectively identify, assess and manage risks from cybersecurity threats, the Company maintains a cybersecurity and cyber risk management program which is comprised of the Company-wide cybersecurity strategy and its supporting policies, processes and architecture. This program is part of the Company s enterprise risk management program. Risk Management Strategy The Director of Information Technology, who reports to the Chief Financial Officer, has extensive information technology ( IT ) and cybersecurity knowledge and skills gained from over 15 years of relevant work experience at the Company, and is responsible for leading the Company s cybersecurity and cyber risk management program which includes certain cybersecurity processes covering the Company s corporate systems. These processes include, among other items, the Company s information technology and risk management departments use of an internal set of applications and control activities to actively monitor potential threats to its corporate IT environment and regularly conduct internal testing to identify potential vulnerabilities to the Company s corporate information technology infrastructure and systems. These activities include, but are not limited to, continuous monitoring of network and infrastructure vulnerabilities, automated patching and software updates, redundancy and back-up systems, and incident response planning and handling. The Company s employees are required to report cybersecurity events, including suspicious activity or emails, to the Company s information technology department. Should a cybersecurity event occur within its corporate systems, the Company is positioned to coordinate a swift response to mitigate impacts to its information technology infrastructure and systems. The Company has in place an incident response plan which provides guidance for leadership and employees to swiftly evaluate and respond to cybersecurity incidents. The Company also carries cybersecurity insurance to further mitigate certain potential losses from a cybersecurity incident affecting its corporate IT equipment and systems. The Company s cybersecurity processes also include self-assessments using industry benchmarks as well as input from external industry consultants and ongoing communication with third-party business partners to identify cybersecurity incidents and threats that could potentially impact the Company. The Company has relationships with a number of third-party business partners to assist with cybersecurity incident containment and recovery efforts and assesses the processes and tools used by its third-party business partners to manage their cybersecurity risks. The Company uses a risk-based approach with respect to its use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of network connectivity or of data accessed, processed, or stored by such third-party service provider. 24 The Company s corporate IT systems are not used to process business transactions with its guests and those systems currently have no connectivity to hotel and/or third-party management and brand technology platforms. The Company s information technology and risk management departments regularly engage with its third-party management companies and brands to understand and benchmark their execution and alignment with applicable policies and industry practices for data protection and cybersecurity. Management and Board Oversight The Company s Board of Directors administers cybersecurity risk oversight primarily through its Audit Committee. The Board s Audit Committee is tasked with oversight responsibility for the Company s enterprise risk management program, including those related to cybersecurity and cyber risks. The Audit Committee receives regular reports from the Chief Financial Officer on, among other things: the Company s cybersecurity risks and threats; the status of projects to strengthen the Company s information security systems; internal and third-party assessments of the Company s cybersecurity program; and the emerging threat landscape. The Audit Committee also receives updates on any cybersecurity incidents experienced by third-party business partners that may pose significant risk to the Company. The Audit Committee provides periodic reporting to the Board of Directors on cybersecurity matters. The Company s IT and risk management departments report directly to the Chief Financial Officer and are directed to immediately report any incidents to the Chief Financial Officer. The Chief Financial Officer also apprises the Audit Committee of cybersecurity incidents consistent with the Company s incident response procedures for more significant incidents and in the aggregate for less significant incidents. Cybersecurity Risks The Company faces a number of cybersecurity risks in connection with its business, although such risks have not materially affected the Company, including its business strategy, results of operations or financial condition, to date. The Company has not experienced any material cybersecurity incidents to date. Notwithstanding the extensive approach the Company takes to address cybersecurity, it may not be successful in preventing or mitigating all cybersecurity incidents or threats. For more information about the cybersecurity risks the Company faces, see the risk factor entitled Technology is used in operations, and any material failure, inadequacy, interruption or security failure of that technology from cyber-attacks or other events could harm the Company s business in Item 1A- Risk Factors. 25

Company Information