Physicians Realty Trust 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Physicians Realty Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:11:13 EST.

Filings

10-K filed on 2024-02-22

Physicians Realty Trust filed an 10-K at 2024-02-22 16:11:13 EST
Accession Number: 0001574540-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We assess, identify and manage material risks from cybersecurity threats through the cyber risk management program supervised by our Chief Informational Security Officer ( CISO ). The cybersecurity program utilizes our cloud security backbone along with complementary tools to identify, prevent, detect, respond to, and recover from cybersecurity incidents, including: regular cybersecurity awareness training f or employees and contractors on our policies and emerging risks from cybersecurity threats, as well as regular phishing awareness training; internal and third party cybersecurity testing, including penetration testing of our information systems and devices; protective and detective cybersecurity controls built into our systems and applications; cybersecurity incident monitoring and response efforts, including our security breach incident response plan (the Incident Response Plan ), to identify, assess, escalate, investigate, contain, and remediate incidents; and disaster recovery and business continuity planning efforts. Our cybersecurity team utilizes a cyber risk management and quantification system ( CRQ ). The CRQ provides intelligence and insights on potential areas of cyber risk and analyzes risk across the major stages of typical cyberattacks and covers a number of entities in our environment, including third party providers. The CISO monitors the CRQ to help ensure that cyber risk assessment and reduction is integrated into the Company s overall risk management system. As part of the above processes, we regularly collaborate with third-party entities to enhance and fortify our cybersecurity risk management program, including through internal and external penetration testing and cybersecurity awareness training. As needed, we require third party service providers to adhere to certain cybersecurity standards and processes and agree to be subject to cybersecurity audits. A discussion of how our business, financial condition, and results of operations could be materially adversely affected by risks from cybersecurity threats is contained under Cybersecurity incidents could disrupt our business and result in the compromise of confidential information in Item 1A. Risk Factors. Governance Our Board has risk oversight responsibility for the Company, which it administers directly and with assistance from its committees. In connection with its assessment of the Company s risk environment, t he Board receives comprehensive updates on cybersecurity risks every quarter from the CISO. The audit committee assists the Board in fulfilling its oversight responsibility with respect to, among other things, enterprise risk management, including information technology and cybersecurity risks. In performing these functions, the audit committee meets regularly with our management to review any significant risks or exposures. Pursuant to the Incident Response Plan, our Incident Response Team is responsible for our incident handling capability, which includes preparation, detection, analysis, containment, eradication, recovery, and follow-up capabilities in response to cybersecurity incidents. The Incident Response Team is led by the CISO and includes management from the 46 Administration, Legal, Information Security and Technology, Physical Security and Facilities Management, Communications and Public Relations and Human Resources fields. When required, or if otherwise appropriate, management informs the Board and/or Board committee of any cybersecurity incidents. The CISO conducts semi-annual meetings of the Incident Response Team to review and document compliance with the Incident Response Plan. In collaboration with the Incident Response Team, the CISO reviews and updates the Incident Response Plan as necessary annually. In addition, the Chair of the Audit Committee conducts an annual review of the Incident Response Plan. The CISO has more than thirteen years of previous professional experience across diverse roles, including managing information security, establishing robust information and cybersecurity programs, crafting business continuity and disaster recovery strategies, and managing complex IT environments as an IT Director, IT Manager, and Senior IT Systems Administrator. He attended the University of Wisconsin Milwaukee for his undergraduate in Management & Information Systems. He has worked in industries such as banking and investments, health care, real estate, private equity, and property management. He is an active member of the Midwest Cybersecurity Alliance and regularly participates in industry cybersecurity meetings and conferences to stay abreast of trends and collaborate with cybersecurity professionals. The members of the Incident Response Team are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the Incident Response Plan processes described above. 47

Company Information