Chatham Lodging Trust 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Chatham Lodging Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 12:52:27 EST.

Filings

10-K filed on 2024-02-27

Chatham Lodging Trust filed an 10-K at 2024-02-27 12:52:27 EST
Accession Number: 0001476045-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our management and Board recognize the critical importance of addressing cybersecurity threats and risks to our business and operations. Therefore, we have established a comprehensive framework to assess, respond to, and manage material risks arising from cybersecurity threats. Assessment, Identification and Management of Material Risks from Cybersecurity We rely on the cybersecurity strategy and policies implemented by IHM, the manager of all the Company s properties, with whom we share corporate office space. IHM s cybersecurity strategy prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. IHM s enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. IHM s cybersecurity risk management processes include technical security controls, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. IHM has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information. IHM s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help IHM prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us. IHM s cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks, including those which may impact us, is integrated into IHM s information technology program. In addition, both IHM and the Company periodically engage with third-party consultants and key vendors to assist them in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents. IHM undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of IHM s and our critical third-party vendors and other partners. IHM also 35 completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations. In addition, much of the sensitive information relating to hotel guests are controlled by the respective franchisor companies, affiliates of Marriott International, Inc., Hilton Worldwide Holdings, Inc., and Hyatt Hotels Corporation, each of which is a public company with enhanced cybersecurity protection policies in place which each publicly discloses. In addition, to aid its own security, the Company has adopted a number of cybersecurity policies including an Incident Response Plan, an Acceptable Use Policy for employees and a Service Provide Cybersecurity Management Policy (the Cybersecurity Policies ), through which the Company ensures that key vendors with access to sensitive information have contractual terms obligating their compliance with the Company processes, policies and procedures. IHM, in coordination with the General Counsel, is responsible for testing the Incident Response Plan on a periodic basis. In addition, the Audit Committee and the General Counsel will review on at least an annual basis the Incident Response Plan and update the Incident Response Plan, as appropriate, to address applicable legal requirements and the Company s policies, procedures and information security and business objectives. Periodically, the Audit Committee will review (i) the Cybersecurity Policies and (ii) the Company s cybersecurity risk exposure and discusses steps management has taken to monitor or mitigate such risk exposure. Material Impact of Cybersecurity Risks In the last three fiscal years, we have not experienced a material information security breach incident , and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. Risk Factors General Risk Factors Cybersecurity failures and data security incidents could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results. Governance of Cybersecurity Risks The Audit Committee of the Board has the primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. IHM and the Company s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer and General Counsel (the Executive Leadership Team ) are responsible for assessing and managing cybersecurity risks. Certain members of IHM periodically report to the Company s management on cybersecurity issues and management presents information to our Audit Committee as well as our full Board, as appropriate, on cybersecurity matters. Upon verifying that a cybersecurity incident has occurred or is occurring, the Executive Leadership Team or their designees, in cooperation with IHM, will promptly conduct a preliminary assessment of the severity level of the cybersecurity incident. Following this assessment, IHM will report the cybersecurity incident to the Chief Executive Officer, who in consultation with the General Counsel, will inform the chair of the Audit Committee, who will then report such cybersecurity incident to the Board as the chair deems appropriate. All Level 1 (High Severity) cybersecurity incidents will be reported to the Board. 36

Company Information