Highlands REIT, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Highlands REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:03:16 EDT.

Filings

10-K filed on 2024-03-14

Highlands REIT, Inc. filed an 10-K at 2024-03-14 17:03:16 EDT
Accession Number: 0001661458-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We designed our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we used the NIST CSF as a guide to help us create our cybersecurity policy. Our cybersecurity risk management program forms a part of our overall enterprise risk management program, and shares reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. Our cybersecurity risk management program is dependent on the use of external service providers to assist with our information technology security controls. Our cybersecurity policy includes a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents and a third-party risk management process for relevant third-party service providers. We have not identified risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. However, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors - We are increasingly dependent on information technology, and potential cyber-attacks, security problems, or other disruptions present risks and could disrupt our operations, result in the loss of confidential information or damage our business relationships and reputation. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and our Audit Committee is responsible for the oversight of cybersecurity and other information technology risks. The Audit Committee also oversees management s implementation of our cybersecurity policy. Management will update the Audit Committee, as necessary, regarding any material cybersecurity incidents. Our management team, including our Chief Executive Officer, Chief Operating Officer and Chief Accounting Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and retaining external information technology providers. The members of our management team do not have specialized cybersecurity backgrounds but have general experience managing financial, insurance, legal and operational risks. Our management team utilizes a third-party outsourced information technology service provider to monitor security events and actively respond to potential security incidents. If a security incident is identified, management in conjunction with the outsourced information technology service provider will take the appropriate actions to mitigate and remediate the security incident in a timely manner. Either during the incident, or post remediation, management will determine the materiality of the incident and if deemed material, will inform the Audit Committee and disclose the incident pursuant to SEC rules and regulations.

Company Information