Easterly Government Properties, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Easterly Government Properties, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:32:26 EST.

Filings

10-K filed on 2024-02-27

Easterly Government Properties, Inc. filed an 10-K at 2024-02-27 16:32:26 EST
Accession Number: 0000950170-24-021249

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We rely on IT networks and systems to process, transmit and store electronic information and to manage or support our business. We have implemented information security processes designed to identify, assess and manage risks from cybersecurity threats to our systems and data. These processes are supported by a multidisciplinary team, including our legal department, management and third-party information security service providers, as described further below. We leverage internal and external resources to monitor and evaluate our threat environment, including the use of our third-party managed service provider, manual and automated tools, threat intelligence reporting and analysis services, security scans and testing and internal and external audits. In addition, as part of our ongoing cybersecurity efforts, we have implemented a process for mandatory cybersecurity awareness training for new employees during onboarding and at least annually thereafter. We also conduct ongoing phishing simulations in an effort to raise awareness and support our training efforts. Our cybersecurity risk assessment process includes quarterly reviews of our cybersecurity controls, annual third-party penetration tests and annual internal assessments of our cybersecurity program as informed by the NIST Cybersecurity Framework. The results of our assessments are discussed with management and the audit committee of our board of directors. We have also established incident response processes for reporting to the audit committee for certain cybersecurity incidents, as appropriate. We utilize certain third-party service providers to perform a variety of functions relating to the acquisition, development and management of our properties. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include a review of the cybersecurity practices of such provider, including through security questionnaires and applicable security certifications or reports, as appropriate. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, to date that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Refer to Item 1A. Risk Factors in this Annual Report on Form 10-K for additional discussion about cybersecurity-related risks. Governance Our board of directors is responsible for overseeing our strategy and risk management process and discharges its duties both as a full board and through its committees. As reflected in the audit committee charter, our board has delegated to the audit committee oversight of our risk assessment and management process, including processes related to cybersecurity. The audit committee meets at least annually with management, our internal auditor and our contracted Chief Technology Officer to discuss our cybersecurity program in regards to potential significant financial or operational risk exposures and the measures implemented to monitor and address those risks, including those that may result from cybersecurity threats. As necessary or appropriate, these discussions may include our risk assessment and risk management policies. In addition to our multidisciplinary management team, we rely on our internal audit function in collaboration with a third-party information security service provider to lead our cybersecurity risk assessment and management processes and oversee their implementation and maintenance. We have a longstanding relationship with our third-party information security service provider, which includes services from our contracted Chief Technology Officer. The contracted Chief Technology Officer has approximately 15 years of information technology experience, including nine years in the finance and real estate sectors, and our Head of Internal Audit, has approximately 30 years of audit experience, including 20 years in the real estate and financial services sectors. Management is responsible for hiring personnel to support our cybersecurity strategy, as appropriate, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. 29 Management is also responsible for approving technology budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters.

Company Information