Page last updated on April 11, 2024
CTO Realty Growth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:21:27 EST.
Filings
10-K filed on 2024-02-22
CTO Realty Growth, Inc. filed an 10-K at 2024-02-22 16:21:27 EST
Accession Number: 0001558370-24-001534
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY The Board recognizes the critical importance of maintaining the trust and confidence of our tenants and business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company s overall approach to risk management and oversight. The Company s cybersecurity processes and practices are integrated into our risk management and oversight program. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. We utilize a third-party managed IT service provider (the MSP ) to provide comprehensive cybersecurity services for the Company, including threat detection and response, vulnerability assessment and monitoring, security incident response and recovery, and cybersecurity education and awareness. The Company has adopted a written information security incident response plan, which, as discussed below, is overseen by the Audit Committee of the Board (the Audit Committee ). Risk Management and Strategy The Company s cybersecurity program is focused on the following key areas: 41 Table of Contents Governance: As discussed in more detail under Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management will be supported by the Audit Committee, which regularly interacts with the Company s management team. Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. Technical Safeguards: Together with the MSP, we deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: Together with the MSP, we have established a written information security incident response plan that addresses the response to a cybersecurity incident, which plan will be tested and evaluated on a regular basis. Third-Party Risk Management: Together with the MSP, we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: As directed by the Company, the MSP provides regular training for Company personnel regarding cybersecurity threats as a means to equip such personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. Together with the MSP, we will engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts will include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The MSP regularly assesses our cybersecurity measures, including information security maturity, and regularly reviews our information security control environment and operating effectiveness. The results of such assessments, audits and reviews will be reported to the Audit Committee and the Board, and we will adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, will oversee the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company s management team the Company s privacy and cybersecurity risk exposures, including: the potential impact of those exposures on the Company s business, financial results, operations and reputation; the steps management has taken to monitor and mitigate such exposures; the Company s information governance policies and programs; and major legislative and regulatory developments that could materially impact the Company s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. Our President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary work collaboratively with the MSP to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with a written information security incident response plan that we have adopted. These members of our management team, together with the MSP, will monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. 42 Table of Contents Our President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary each hold degrees in their respective fields, and have an average of over 20 years of experience managing risks at the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
Item 1C. Cybersecurity Governance, the Board s oversight of cybersecurity risk management will be supported by the Audit Committee, which regularly interacts with the Company s management team. Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. Technical Safeguards: Together with the MSP, we deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: Together with the MSP, we have established a written information security incident response plan that addresses the response to a cybersecurity incident, which plan will be tested and evaluated on a regular basis. Third-Party Risk Management: Together with the MSP, we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact the Company s business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: As directed by the Company, the MSP provides regular training for Company personnel regarding cybersecurity threats as a means to equip such personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. Together with the MSP, we will engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts will include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The MSP regularly assesses our cybersecurity measures, including information security maturity, and regularly reviews our information security control environment and operating effectiveness. The results of such assessments, audits and reviews will be reported to the Audit Committee and the Board, and we will adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, will oversee the Company s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company s management team the Company s privacy and cybersecurity risk exposures, including: the potential impact of those exposures on the Company s business, financial results, operations and reputation; the steps management has taken to monitor and mitigate such exposures; the Company s information governance policies and programs; and major legislative and regulatory developments that could materially impact the Company s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. Our President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary work collaboratively with the MSP to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with a written information security incident response plan that we have adopted. These members of our management team, together with the MSP, will monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. 42 Table of Contents Our President and Chief Executive Officer, Senior Vice President, Chief Financial Officer and Treasurer, and Senior Vice President, General Counsel and Corporate Secretary each hold degrees in their respective fields, and have an average of over 20 years of experience managing risks at the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
Company Information
| Name | CTO Realty Growth, Inc. |
| CIK | 0000023795 |
| SIC Description | Real Estate Investment Trusts |
| Ticker | CTO - NYSECTO-PA - NYSE |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 30 |