Postal Realty Trust, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Postal Realty Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:13:13 EST.

Filings

10-K filed on 2024-02-29

Postal Realty Trust, Inc. filed an 10-K at 2024-02-29 17:13:13 EST
Accession Number: 0001628280-24-008057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our various corporate information technology, accounting and financial reporting platforms, enterprise applications and related systems (our Information Systems ) are necessary for our business. We use these systems, among others, to manage key aspects of our business, including relationships with our tenants and vendors, accounting, acquisitions, internal and external communications and property and asset management. We also rely on the secure collection, storage, transmission and processing of proprietary, confidential and sensitive data related to our business (our Sensitive Data ). We utilize a third-party managed information technology service provider (the MSP ) for cybersecurity services, including threat detection and response, vulnerability assessment and monitoring, security incident response and recovery and general cybersecurity education and awareness. Our cybersecurity risk management is integrated into our overall enterprise risk management and shares common methodologies, reporting channels and governance processes that apply across our enterprise risk management. We and our MSP identify, assess and manage material cybersecurity threats and risks to our Information Systems and Sensitive Data through the following, among others: a multidisciplinary team, including a dedicated technology committee (the Technology Committee ) comprising members from senior management, asset management and accounting and legal functions, in conjunction with our MSP and other third-party service vendors, to identify, assess and manage cybersecurity threats and risks; various internal processes and procedures to monitor and evaluate threat environment and our risk profile using methods such as manual and automated tools, subscribing to reports and services that identify and analyze cybersecurity threats, conducting scans of the threat environment, evaluating our industry s risk profile, utilizing internal and external audits and conducting threat and vulnerability assessments; various technical, physical and organizational processes and policies to manage and mitigate material cybersecurity risks, such as risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program, employee training and penetration testing; and working with third-party vendors from time to time that assist us to identify, assess and manage cybersecurity risks, such as professional services firms and penetration testing firms. 33 Table of Contents For third-party service vendors that perform a variety of important functions for our business, we seek to engage reliable, reputable service vendors that maintain cybersecurity programs. Depending on the nature and risk profile of the services provided and the sensitivity of information processed, we may from time to time conduct a review of the cybersecurity practices of such vendor, contractually imposing obligations on the vendor and conducting periodic reassessments during their engagement. We are currently not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or, to our knowledge, are reasonably likely to materially affect our business, financial condition and results of operations. See to Item 1A. Risk Factors in this annual report on Form 10-K, including We face cybersecurity risks and risks associated with security breaches , for additional discussion about cybersecurity-related risks. Governance Our Board of Directors oversees our strategy and risk management, including material cybersecurity risks. The Audit Committee of the Board of Directors (the Audit Committee ) oversees our cybersecurity and information technology risk exposures, as well as our cybersecurity and information technology policies and programs, in accordance with its charter. The Audit Committee holds quarterly meetings and receives periodic reports from, and also engages in regular discussions with, management and also our MSP regarding our significant cybersecurity risk exposures and the measures implemented to monitor and control these risks. Our Technology Committee also meets at least quarterly to assess cybersecurity risks and prepares reports to the Audit Committee. A number of members of our Technology Committee have gained relevant knowledge, skills and experience in information technology and cybersecurity risk management, including overseeing third-party vendors in such areas, over their careers at the Company or other organizations. Management is responsible for hiring and overseeing third-party vendors related to cybersecurity and integrating cybersecurity risk considerations into our overall risk management strategy. Our internal cybersecurity incident response processes are designed to escalate cybersecurity incidents to members of management depending on the circumstances and reporting to the Audit Committee for certain cybersecurity incidents, which also allows decisions regarding the public disclosure and reporting of such incidents to be made by management, the Audit Committee and the Board in a timely manner.

Company Information