STARWOOD PROPERTY TRUST, INC. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

STARWOOD PROPERTY TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 06:52:18 EST.

Filings

10-K filed on 2024-02-22

STARWOOD PROPERTY TRUST, INC. filed an 10-K at 2024-02-22 06:52:18 EST
Accession Number: 0001628280-24-006128

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity in this Form 10-K for a discussion of how we address these cybersecurity risks. We are subject to risks from natural disasters such as earthquakes and severe weather, including as the result of global climate changes, which may result in damage to our properties. Natural disasters and severe weather such as earthquakes, tornadoes, hurricanes or floods may result in significant damage to the properties securing our loans or in which we invest. In addition, our investments may be exposed to new or increased risks and liabilities associated with global climate change, such as increased frequency or intensity of adverse weather and natural disasters, which could negatively impact our and our borrowers businesses and the value of the properties securing our loans or in which we invest. The extent of our or our borrowers casualty losses and loss in operating income in connection with such events is a function of the severity of the event and the total amount of exposure in the affected area. When we have geographic concentration of exposures, a single catastrophe (such as an earthquake) or destructive weather event (such as a hurricane) affecting a region may have a significant negative effect on our financial condition and results of operations. We may be materially and adversely affected by our exposure to losses arising from natural disasters or severe weather, including those associated with global climate change. In addition, global climate change concerns could result in additional legislation and regulatory requirements, including those associated with the transition to a low-carbon economy, which could increase expenses or otherwise adversely impact our business, results of operations and financial condition, or the business, results of operations and financial condition of our borrowers. Our business may be adversely affected as the result of environmental, social and governance matters. Our business faces increasing public scrutiny related to environmental, social and governance ( ESG ) matters. In particular, shareholder, public and governmental expectations have been increasing with respect to ESG activities, including with respect to corporate responsibility, sustainability, diversity, equity and inclusion and climate change. A number of organizations measure the performance of companies on various ESG topics, and the results of these assessments may be widely-publicized and may change frequently. Shareholders and prospective investors may use these assessments to, among other matters, determine whether to invest in our securities, engage with us to advocate for improved ESG performance or disclosure, make voting decisions, or take other actions to hold us and our board of directors accountable with respect to ESG matters. We also face reputational damage in the event we or our Manager does not meet the ESG-related standards or expectations of shareholders, prospective investors or other stakeholders, or if we are unable to achieve acceptable ESG assessments from third parties. In addition, new laws or regulations may be enacted that require certain ESG-related disclosures or performance. Compliance with any such new laws or regulations would increase our regulatory burden, and compliance could be difficult and expensive. The failure to comply with any ESG-related laws or regulations could materially and adversely impact the value of our stock and limit our ability to fund future growth, or result in investigations or litigation, or the threat thereof. The market price and trading volume of our common stock could be volatile and the market price of our common stock could decline, resulting in a substantial or complete loss of your investment. The stock markets, including the New York Stock Exchange (the NYSE ), which is the exchange on which our common stock is listed, have experienced significant price and volume fluctuations. In the past, overall weakness in the economy and other factors have contributed to extreme volatility of the equity markets generally, including the market price of our common stock. As a result, the market price of our common stock has been and may continue to be volatile, and investors in our common stock may experience a decrease in the value of their shares, including decreases unrelated to our operating performance or prospects. Some of the factors that could negatively affect our stock price or result in fluctuations in the price or trading volume of our common stock include: our actual or projected operating results, financial condition, cash flows and liquidity, or changes in business strategy or prospects; actual or perceived conflicts of interest with our Manager or Starwood Capital Group and individuals, including our executives; 54 Table of Contents equity issuances by us or share resales by our stockholders, or the perception that such issuances or resales may occur; actual or anticipated accounting problems; publication of research reports about us or the real estate industry; changes in market valuations of similar companies; adverse market reaction to the level of leverage we employ; additions to or departures of our Manager s or Starwood Capital Group s key personnel; speculation in the press or investment community; our failure to meet, or the lowering of, our earnings estimates or those of any securities analysts; increases in market interest rates, which may lead investors to demand a higher distribution yield for our common stock and would result in increased interest expenses on our debt; failure to maintain our REIT qualification; uncertainty regarding our exemption from the Investment Company Act; price and volume fluctuations in the stock market generally; and general market and economic conditions, including the current state of the credit and capital markets. In the past, securities class action litigation has often been instituted against companies following periods of volatility in their share price. This type of litigation could result in substantial costs and divert our attention and resources. There may be future dilution of our common stock as a result of additional issuances of our securities, which could adversely impact our stock price. Our board of directors is authorized under our charter to, among other things, authorize the issuance of additional shares of our common stock or the issuance of shares of preferred stock or additional securities convertible or exchangeable into equity securities, without stockholder approval. Future issuances of our common stock or shares of preferred stock or securities convertible or exchangeable into equity securities may dilute the ownership interest of our existing stockholders. Because our decision to issue additional equity or convertible or exchangeable securities in any future offering will depend on market conditions and other factors beyond our control, we cannot predict or estimate the amount, timing or nature of our future issuances. Additionally, any convertible or exchangeable securities that we issue may have rights, preferences and privileges more favorable than those of our common stock. Also, we cannot predict the effect, if any, of future sales of our common stock, or the availability of shares for future sales, on the market price of our common stock. Sales of substantial amounts of common stock or the perception that such sales could occur may adversely affect the prevailing market price for our common stock. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. We rely on information technology ( IT ) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. Our IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cyber incident that could adversely impact our ability to operate its core business functions. As a financial services firm, we do not maintain a significant level of personally identifiable information data. Accordingly, our exposure to data breaches is more limited. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. However, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. We consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. We have implemented a comprehensive cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls and activities include hardware and software inventory tracking, endpoint protection, and network security measures to safeguard our assets from unauthorized access and attacks. We 55 Table of Contents prioritize data protection through data classification and access management designed to permit access only by authorized personnel. Our cybersecurity incident response plan, integrated into the enterprise risk management framework, outlines a structured process for handling information security incidents involving assets or data. It guides our computer security incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework ensuring timely communication with business and management teams based on the incident s severity and potential impact. Controls and related activities are designed taking into consideration recognized third party cybersecurity frameworks. Oversight of cybersecurity is a joint responsibility of our Board of Directors and Audit Committee, with each receiving at least quarterly updates from management on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. We also maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents. Our Chief Information Officer leads our overall cybersecurity function and is responsible for developing and implementing our information security program and managing our response to threats. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT security team, including the third party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. We utilize on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed security services providers. These external managed security service providers collect events generated by critical systems in real-time, filters non-security events, and then correlates the information using security data analytical engines so that personnel can identify and analyze threats. We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete a monthly computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users to identify information security threats and what actions should be taken. Additionally, the employees are regularly tested with phishing campaigns reinforcing their awareness of email threats. Annual risk assessments of our Information Security Program are conducted to identify emerging information security and third party risks. In addition, periodic vulnerability assessments and penetration tests are conducted throughout the year to support the identification of risks. We also conduct independent audits on both the design and operational effectiveness of security controls and consult with external advisors on best practices to address new challenges. With respect to our software platforms that are hosted by third parties, we utilize an external vendor risk management platform is utilized to evaluate, rate, monitor and track vendor risk. The security practices and processes of the service providers are monitored regularly, and periodic audits are performed on the security adequacy and compliance of the service provider. For any of our hosted applications we require the vendor to maintain a System and Organization Controls ( SOC ) 1 or SOC 2 report. If a third party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third party providers is part of our overall cybersecurity risk management framework.
Item 1C. Cybersecurity. We rely on information technology ( IT ) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. Our IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cyber incident that could adversely impact our ability to operate its core business functions. As a financial services firm, we do not maintain a significant level of personally identifiable information data. Accordingly, our exposure to data breaches is more limited. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. However, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. We consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. We have implemented a comprehensive cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls and activities include hardware and software inventory tracking, endpoint protection, and network security measures to safeguard our assets from unauthorized access and attacks. We 55 Table of Contents prioritize data protection through data classification and access management designed to permit access only by authorized personnel. Our cybersecurity incident response plan, integrated into the enterprise risk management framework, outlines a structured process for handling information security incidents involving assets or data. It guides our computer security incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework ensuring timely communication with business and management teams based on the incident s severity and potential impact. Controls and related activities are designed taking into consideration recognized third party cybersecurity frameworks. Oversight of cybersecurity is a joint responsibility of our Board of Directors and Audit Committee, with each receiving at least quarterly updates from management on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. We also maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents. Our Chief Information Officer leads our overall cybersecurity function and is responsible for developing and implementing our information security program and managing our response to threats. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT security team, including the third party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. We utilize on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed security services providers. These external managed security service providers collect events generated by critical systems in real-time, filters non-security events, and then correlates the information using security data analytical engines so that personnel can identify and analyze threats. We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete a monthly computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users to identify information security threats and what actions should be taken. Additionally, the employees are regularly tested with phishing campaigns reinforcing their awareness of email threats. Annual risk assessments of our Information Security Program are conducted to identify emerging information security and third party risks. In addition, periodic vulnerability assessments and penetration tests are conducted throughout the year to support the identification of risks. We also conduct independent audits on both the design and operational effectiveness of security controls and consult with external advisors on best practices to address new challenges. With respect to our software platforms that are hosted by third parties, we utilize an external vendor risk management platform is utilized to evaluate, rate, monitor and track vendor risk. The security practices and processes of the service providers are monitored regularly, and periodic audits are performed on the security adequacy and compliance of the service provider. For any of our hosted applications we require the vendor to maintain a System and Organization Controls ( SOC ) 1 or SOC 2 report. If a third party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third party providers is part of our overall cybersecurity risk management framework.

Company Information