Peakstone Realty Trust 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Peakstone Realty Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:29:33 EST.

Filings

10-K filed on 2024-02-22

Peakstone Realty Trust filed an 10-K at 2024-02-22 17:29:33 EST
Accession Number: 0001600626-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy 30 Table of Contents The cybersecurity risk management program, processes and strategy described in this section are limited to the personal and business information belonging to or maintained by the Company (collectively, Confidential Information ), our own third-party critical systems and services supporting or used by the Company (collectively, Critical Systems ), and Service Providers. The Company s subsidiaries lease to and, in some instances, manage for our tenants the properties we own, but we do not have actual or contractual access to the systems or information maintained or used by our tenants. Our tenants are directly or indirectly (through their own service providers) responsible for maintaining programs and processes to protect their systems and information from various risks from cybersecurity threats. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our Confidential Information and Critical Systems. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and includes a cybersecurity incident response plan. We design and assess our program based on the information security standards published by the International Organization for Standardization 27002 ( ISO 27002 ). This does not imply that we meet any particular technical standards, specifications, or requirements, but only that we use the ISO 27002 as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our Confidential Information, Critical Systems and the broader enterprise IT environment; a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; the use of Service Providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; cybersecurity awareness and spear-phishing resistance training of our employees, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a vendor management policy for Service Providers. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, could have a material adverse effect on us including an adverse effect on our business, financial condition and results of operations. See Risk Factors General Risks Cybersecurity risks and cyber incidents or the failure to comply with laws and regulations concerning data privacy and security may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, any of which could have a material adverse effect on us. Cybersecurity Governance Our executive management team, along with our managed information technology Service Provider, Strebe Corporation, a California corporation d/b/a Connetic ( Connetic ), is responsible for assessing and managing risks from cybersecurity threats to the Company, including our Confidential Information and Critical Systems. The team has primary responsibility for our overall cybersecurity risk management program. Our management team works closely with Connetic, which has provided information technology support, security audit and on-call services to financial industry participants for more than 25 years. Our management team meets with Connetic regularly to discuss then-current cybersecurity issues, which may include efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including threat intelligence and other information obtained from governmental, public or private sources, and external service providers engaged by us; and alerts and reports produced by security tools deployed in the information technology environment including a spear-phishing report. 31 Table of Contents Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee of the Board (the Audit Committee ) oversight of cybersecurity and other information technology risks. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Audit Committee receives periodic reports from management or Connetic on our cybersecurity risks and cybersecurity risk management program. In addition, the executive management team is responsible for updating the Audit Committee, as necessary, regarding significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives period reports from management or Connetic on our cybersecurity risks and cybersecurity risk management program. The full Board members receives presentations on cybersecurity topics from Connetic as part of the Board s continuing education on topics that impact public companies.

Company Information