RLJ Lodging Trust 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

RLJ Lodging Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:42:44 EST.

Filings

10-K filed on 2024-02-27

RLJ Lodging Trust filed an 10-K at 2024-02-27 16:42:44 EST
Accession Number: 0001511337-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are committed to properly addressing the cybersecurity threats we face, and we have processes to assess, identify, and manage material risks from cybersecurity threats. We apply a comprehensive approach to the mitigation of cybersecurity risks. The risk of cybersecurity threats is integrated into our overall risk management program, which includes an annual risk prioritization process to identify key enterprise-level risks. The cybersecurity threat risk action plan is managed by a dedicated information technology (“IT”) committee (the “IT Committee”), which oversees our cybersecurity program. The IT Committee comprises senior company leaders as well as our outsourced IT services provider. To oversee and identify cybersecurity threat risks on a day-to-day basis, we maintain a security operations center with round-the-clock monitoring. We have established policies, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of mitigation strategies and techniques to reduce cybersecurity risks, including continuous monitoring, early detection tools, proactive vulnerability management, and remediation. Our information security policies are modeled against the National Institute of Standards and Technology s Cybersecurity Standards and incorporate concepts from the Zero Trust Framework. Given the ever-changing cybersecurity landscape, our IT Committee regularly meets to identify opportunities for incremental improvements, assess additional layers of security, and evaluate new technologies for implementation. In addition, we engage, as necessary, cybersecurity experts to analyze our IT policies, procedures, and infrastructure to assess their effectiveness and to identify opportunities for improvement. We conduct an annual information security compliance training for all employees to enable them to detect and report malware, ransomware, and other malicious software and social engineering attempts that may compromise our IT systems. Employees also are subject to spear-phishing training campaigns, which allow us to assess the effectiveness of our training programs. Our management companies are ultimately responsible for our guests’ information, and we monitor these companies, as well as other third party service providers, to ensure that they are complying with our privacy, information security and cybersecurity policies. We also assess the cybersecurity proficiency of potential third party cloud suppliers before utilizing their services. We work closely with our internal and external auditors to assess, identify and manage cybersecurity risks. Our IT internal controls are audited by our external auditor as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls. Any failure to maintain proper function, security and availability of our information technology networks and systems could interrupt our operations, our financial reporting and compliance, damage our reputation, and subject us to liability claims or regulatory penalties, which could have a material and adverse effect on our business, financial condition and results of operations. Management has not identified cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See Item 1A. Risk Factors above for more information. Governance Our board of trustees is responsible for overseeing the assessment and management of enterprise-level risks that may impact us, including cybersecurity. Two board members have information security expertise from their professional experience. Nathaniel A. Davis has expertise in information technology and experience reviewing and addressing cybersecurity risks. Patricia L. Gibson also has experience assessing and addressing cybersecurity risks through her past professional experience. 23 Table of Contents Our Audit Committee has primary responsibility for the oversight of risks from cybersecurity threats. Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding cybersecurity risks and mitigation strategies. We consider each member of our Audit Committee to possess information security experience by way of their oversight responsibilities over this area. In addition to ensuring adequate safeguards are in place to minimize the chance of a successful cyber attack, we have established a cybersecurity incident response plan to effectively address any cybersecurity threat that may occur despite these safeguards. We believe our cybersecurity incident response plan will help ensure timely, consistent and compliant responses to actual or attempted data incidents impacting our company. The cybersecurity incident response plan includes an escalation framework, including processes for informing the board of trustees of material cybersecurity incidents.

Company Information