City Office REIT, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

City Office REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 06:31:04 EST.

Filings

10-K filed on 2024-02-22

City Office REIT, Inc. filed an 10-K at 2024-02-22 06:31:04 EST
Accession Number: 0001193125-24-042048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy City Office REIT recognizes the importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. The Company has integrated cybersecurity risk management into our overall risk assessment framework to identify, evaluate and manage cybersecurity threats and risks. Our CFO works closely with our IT service provider and internal auditors to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with internal auditors and a range of external experts, including cybersecurity assessors and consultants, in evaluating and testing our systems and security processes. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes reviews of cybersecurity-related processes and controls in line with current international cybersecurity standards to evaluate the maturity and risks of our current 39 Table of Contents cybersecurity program and consults on security enhancements. The Company further collaborates with these third-parties to conduct threat assessments, penetration testing and social engineering testing to assess the Company s systems, applications and personnel education and awareness regarding cybersecurity threats. As we are aware of the risks associated with third-party service providers, the Company maintains ongoing monitoring to ensure compliance with our service level requirements. As of the date of this filing, we do not believe that our Company, including our business strategy, results of operations, or financial condition, have been materially affected by any cybersecurity incidents for the reporting period covered by this Annual Report on Form 10-K. While we have not experienced any material cybersecurity threats or incidents to our knowledge in recent years, there can be no guarantee that we will not be the subject of future threats or incidents. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, refer to Item 1A. Risk Factors in this Annual Report on Form 10-K, including We face risks associated with security breaches through cyber-attacks, cyber intrusions or otherwise, as well as other significant disruptions of our IT networks and related systems. Governance The Board of Directors and Audit Committee are acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Audit Committee is composed of Board members with diverse expertise, including in risk management, technology and finance, equipping them to oversee cybersecurity risks effectively. The Audit Committee is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. The CFO and CEO play a pivotal role in informing the Audit Committee on cybersecurity risks. The CFO, in his capacity, regularly informs the CEO of all aspects related to cybersecurity risks and incidents ensuring the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. They provide briefings to the Audit Committee as needed, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats; Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and Compliance with regulatory requirements and industry standards. Monitoring While we have not had any material cybersecurity breaches to our knowledge in recent years, the CFO is continually informed about the latest developments in cybersecurity, including potential threats and risk management techniques. The CFO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of security measures and system audits as needed to identify potential vulnerabilities. In the event of a cybersecurity incident, the CFO is equipped with an incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. 40 Table of Contents

Company Information