MPT Operating Partnership, L.P. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

MPT Operating Partnership, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:08:06 EST.

Filings

10-K filed on 2024-02-29

MPT Operating Partnership, L.P. filed an 10-K at 2024-02-29 17:08:06 EST
Accession Number: 0000950170-24-023248

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cyber Risk Management and Strategy We have developed, implemented, and continue to maintain processes and procedures to identify and mitigate cybersecurity risks across our company (including our offices in Europe). Because we rely on various information technology systems and software programs to operate our business, we have an extensive cybersecurity program designed to protect our properties and confidential data. Our cybersecurity risk management and strategy program includes the following: implementing the latest software releases and tools (including multi-factor authentication) in a timely manner; seek to minimize the amount of personal information collected and stored about our employees and seek to avoid any collection and storage of non-financial or contact information from our tenants/borrowers; constant security monitoring of computers, networks, and cloud-based information assets to detect and respond to cybersecurity risks and threats; third party internal and external vulnerability assessments and penetration testing; annual review and audit of cyber controls and procedures; periodic review of cybersecurity procedures and implementation of new procedures as necessary to adhere to cybersecurity standards set forth by the National Institute of Standards and Technology; periodic evaluation and review of cybersecurity risks associated with our use of key third-party business partners, vendors, and service providers. Because we do not control the systems or cybersecurity plans put in place by such third parties, and we may have limited contractual protections with such parties, we may be negatively impacted as a result of threats or incidents experienced by such third parties; security awareness training provided during employee onboarding process and successful completion required at least annually for all employees with passing requirements; employee anti-phishing campaigns performed at least quarterly; a cybersecurity incident response plan, which is reviewed annually, but generally consists of a coordinated approach to investigating, containing, documenting, and reporting findings and keeping management and others informed and involved as appropriate; and a cybersecurity risk insurance policy. We have not identified any known cybersecurity threats or incidents within the prior year that have materially affected or are reasonably likely to materially affect us, including our overall business strategy, results of operations, or financial condition. Although we have taken steps to protect the security of our information systems and the data maintained in those systems, there is no guarantee the measures and security we have implemented will be successful in detecting and preventing a cybersecurity incident. Please refer to Item 1A of this Annual Report on Form 10-K for more information regarding additional risks related to cybersecurity and information technology. Cyber Governance Cybersecurity holds a pivotal role in our comprehensive risk management processes and is a key focus for both our Board and management. Our management has primary responsibility for identifying, assessing, and managing our exposure to cybersecurity threats and incidents. However, the Board, led by members of the Risk Committee, oversees the enterprise risk management process, specifically addressing material risks stemming from cybersecurity threats. 39 The Board receives regular updates from the Computer Security Incident Response Team ( CSIRT ) to provide insight into significant cybersecurity risks, potential impacts on business operations, and management’s strategies for identifying, monitoring, and mitigating these risks. This includes sharing results from assessments or audits of relevant processes. Led by our Director of Information Technology and Security ( Director of IT ) with over 40 years of experience in Information Technology, our CSIRT, comprising cross-functional professionals, collaborates to execute our cybersecurity risk assessment and management processes by reviewing and assessing cybersecurity initiatives, including the incident response plan, cybersecurity compliance, training, and overall risk management efforts. The collaborative efforts of the Board and our skilled CSIRT team underscore our commitment to effectively addressing and mitigating cybersecurity risks within the organization. 40

Company Information