Net Lease Office Properties 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Net Lease Office Properties reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 16:38:22 EST.

Filings

10-K filed on 2024-03-06

Net Lease Office Properties filed an 10-K at 2024-03-06 16:38:22 EST
Accession Number: 0001952976-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an externally managed company, our day-to-day operations are managed by our Advisor and our executive officers (all of whom are executive officers of our Advisor) under the oversight of our Board. We rely on our Advisor for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details our Advisor has provided to us regarding its cybersecurity program that are relevant to us. Management and Board Oversight Our Advisor s cybersecurity approach incorporates a layered portfolio of comprehensive employee training programs, multiple resources to manage and monitor the evolving threat landscape and knowledgeable teams responsible for preventing and detecting cybersecurity risks. Net Lease Office Properties 2023 10-K 19 As part of our Board s oversight of risk management, our Board of Trustees will review our cyber-risks and the actions being taken to mitigate such risks with our Advisor. These actions include implementing industry-recognized practices for protecting systems, third-party monitoring of certain systems and cybersecurity training for the Advisor s employees. Board oversight of risk is also performed as needed between meetings through our Audit Committee and communications between our Advisor and our Board of Trustees. Our Board of Trustees will receive periodic education around cybersecurity risks and best practices. Additionally, our Audit Committee, which consists solely of independent trustees, is responsible for overseeing cybersecurity risks and related initiatives. Our Audit Committee reviews our enterprise risk and cybersecurity risks. It also reviews the steps our Advisor has taken to protect against threats to our information systems and security and receives updates on cybersecurity on a quarterly basis. Our Advisor s information technology team is led by its Chief Information Officer who has extensive experience working with information security systems. Our Advisor s information technology team consists of individuals with expertise in assessing, preventing and addressing cybersecurity risk and is responsible for executing our cybersecurity program as well as communicating regularly with our Advisor s senior management, our Advisor s cybersecurity governance committee, the Audit Committee and the Board. Our Advisor s cybersecurity governance committee, comprised of the Advisor s Chief Financial Officer, Chief Legal Officer, Chief Information Officer, Head of Internal Audit and senior members of its information technology team, are responsible for developing and maintaining our cybersecurity policies and standards, monitoring ongoing compliance and program updates, and ensuring our information security is aligned with our business objectives and strategies under the oversight of our Board. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats Our Advisor s cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents and (3) containing, eradicating, recovering from and reporting cybersecurity events. Prevention and Preparation Our Advisor employs a variety of measures to prevent threats related to privacy, information technology security and cybersecurity, which include password protection, frequent mandatory password change events, multi-factor authentication, internal phishing testing, vulnerability scanning and penetration testing. Our Advisor s information technology and internal audit teams utilize frameworks based on industry standards to identify and mitigate information security risks and oversee an active cybersecurity training program. For example, in January 2023, our Advisor s information technology team held a tabletop exercise with senior management of the Advisor to consider different cybersecurity scenarios. Our Advisor s information technology team also recently worked with various third-party consultants to update our incident response plan. In addition, our Advisor s information technology team conducts routine security assessments as well as ongoing cybersecurity training campaigns for the Advisor s employees to enhance awareness and increase vigilance for the various types of cybersecurity attacks to which they may be exposed. Our Advisor s internal audit team evaluates and monitors our internal controls over systems access in an effort to mitigate information security risks that may result from unauthorized access to systems and data. Third-party vendors are vetted through our Advisor s service delivery program to ensure they have an established cybersecurity program. Our Advisor has also engaged a managed security provider to manage a supply chain defense subscription that will help obtain clear visibility into cybersecurity risks across third party vendors by proactively identifying, prioritizing, and driving remediation for cyber risks posed by critical business partners. Our Advisor s managed security provider s risk operations center will escalate certain alerts regarding third-party vendors directly to the appropriate business partners thus providing direct collaboration with third parties, saving time and improving risk reduction while safeguarding our relationships with such third parties. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, including but not limited to automated event-detection notifications or similar technologies which are monitored by our Advisor s managed cybersecurity provider, notifications from Net Lease Office Properties 2023 10-K 20 our Advisor s employees, vendors or service providers, and notifications from third party information technology system providers. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to our Advisor s incident response plan follows the procedures set forth in the plan to investigate the potential incident, such as determining the nature of the event (e.g., ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the incident response team is initially focused on containing the cybersecurity incident as quickly and efficiently as possible, consistent with the procedures in the incident response plan. Containment procedures may include shutting down systems; disconnecting systems from a network, disabling specific ports, protocols, services, functions, etc., disabling access to compromised systems; examining code in a controlled environment and making forensic backups of affected systems for possible legal action for third party forensic analysis. Once a cybersecurity incident is contained, the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident. They may include returning affected systems to an operationally ready state, confirming that the affected systems are functioning normally and implementing, as necessary, additional monitoring to look for future related activity. Our Advisor has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including outside legal counsel, vendors and external insurance brokers. In the event of a cybersecurity incident, we intend to follow the steps outlined in our Advisor s incident response plan, including notifying our Audit Committee and Board, as appropriate. Cybersecurity Risks As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachments to emails, phishing attempts, extortion or other scams. For a discussion of these risks, see Item 1A. Risk Factors The occurrence of cyber incidents, or a deficiency in our Advisor s cybersecurity, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results .

Company Information