JLL Income Property Trust, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

JLL Income Property Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:09:32 EDT.

Filings

10-K filed on 2024-03-14

JLL Income Property Trust, Inc. filed an 10-K at 2024-03-14 17:09:32 EDT
Accession Number: 0001314152-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. To respond to the threat of security breaches and cyberattacks, we rely on a cybersecurity program developed by our Sponsor and Advisor, the implementation of which is led by our Sponsor s and Advisor s Global Chief Information Officer ( CIO ) and Chief Information Security Officer ( CISO ). The cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information and systems owned by them, or in their care. Our board of directors has oversight of cybersecurity risk, as indicated in the Company s proxy statement disclosure. Cybersecurity is reviewed as part of our and our Sponsor s and Advisor s overall enterprise risk management program. These are led by our management, our Sponsor s Director of Enterprise Risk Management and our Advisor s Global General Counsel, respectively and assess our significant enterprise risks, provide a summary of those risks and primary mitigations, and identify control improvement projects for our significant risks. The progress of control improvement projects for our Sponsor and Advisor risks are regularly reported to our management and on our risks to our board of directors. Our Sponsor s Director of Enterprise Risk Management regularly meets with their CISO and CIO to assess cybersecurity risks, cybersecurity program mitigants, and status of control improvement projects and our management and other employees of our Advisor regularly meet and communicate with our Sponsor s Director of Enterprise Risk Management, CISO and CIO. Like other companies with a large technology footprint and high-profile client base, our Sponsor and Advisor are regularly subject to cyberattacks. While certain attacks have been successful, thus far none have had a material impact to our operations. In the future, it is possible such attacks could be successful and have a material impact on our operations. Our Sponsor s and Advisor s cybersecurity program strategy is to implement layered controls to reduce their and our cybersecurity risk by minimizing both the likelihood and potential impact of cybersecurity events. These controls are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework. Our Sponsor s CISO leads our cybersecurity program. Their CISO has over twenty years of relevant experience, including cybersecurity and enterprise security leadership roles for large global organizations and within the U.S. government and holds a master s degree in computer and network forensics. Their CISO leads a global team of cybersecurity professionals with relevant prior employment experience at global financial services firms, leading technology companies, cybersecurity providers, the government and the military, some of whom are dedicated to our Advisor. Their CISO reports to their CIO who is responsible for the development and implementation of their and our technology, data and information management strategy. Their CIO has over twenty years of experience in technology, data management, data science and analytics. Before joining our Sponsor, their CIO previously held positions as Chief Data Officer, Global Head of Customer Intelligence, Head of Global Analytics and Head of Product Management for a large global financial services institution. Their CIO earned a bachelor s degree in mechanical engineering and a master s degree in industrial engineering operations research. Our Sponsor engages third-party consultants in connection with their and our cybersecurity program for assessing, identifying and managing material risks from cybersecurity threats. These third parties provide testing and advisory services to identify risks, improve the quality of controls, and respond to cybersecurity incidents. Our Sponsor, Advisor and we regularly engage third parties to provide technology and/or to perform property management services, where they and we have imperfect visibility into those third parties susceptibility to cybersecurity threats and/or their controls. To help address this risk, our Sponsor s cybersecurity program also includes assessments of cybersecurity threats associated with their, or Advisor s and our use of certain third-party service providers. They and our Advisor leverage pre-procurement security assessments and post-procurement continuous monitoring to evaluate the security risk of certain third-party service providers. 44 Table of Contents We, our Sponsor and Advisor maintain a robust cyber incident response plan that includes controls and procedures designed to allow timely and accurate reporting of any material cybersecurity incident. They and we view cybersecurity as a shared responsibility, and they periodically perform simulations and tabletop exercises at a management level and incorporate external resources as well. They provide at least annual information security training program for our Advisor s employees who have access to Company related sensitive or personal information and regularly conduct phishing trainings. We established a cyber incident management team that consists of our Sponsor s CIO, CISO, CFO, CLO and our CEO, CFO, General Counsel and Head of Marketing that is responsible for determining if a cybersecurity incident is material to us and requires disclosure. In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification. Although our Sponsor, Advisor, or we have not experienced any material cybersecurity events to date, cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in our Risk Related to Our General Business Operations and Our Corporate Structure in Part I, Item 1A of this report. Our business is highly dependent on our ability to collect, use, store and manage organizational data. If any of our significant information and data management systems do not operate properly or are disabled, we could suffer a material disruption of our businesses, loss of investor or other sensitive data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events wholly or partially beyond our control, including disruptions of electrical or communications services, natural disasters, political instability, terrorist attacks, sabotage, computer viruses, deliberate attempts to disrupt our computer systems through “hacking,” “phishing,” or other forms of both deliberate or unintentional cyber-attack. As our Sponsor and Advisor outsource significant portions of their information technology functions to third-party providers, such as cloud computing, we bear the risk of them having less direct control over the security and performance of those systems. Our cybersecurity risk is affected by cyber threats that are proliferating and advancing in their ability to identify and exploit vulnerabilities, requiring continuous evaluation and improvements to our security architecture and cyber defenses. We also face increased cybersecurity risk as our Sponsor and Advisor deploy additional mobile and cloud technologies. They are continuously hardening their infrastructure built on these technologies, monitoring for threats, and evaluating their capability to respond to any incidents to minimize any impact to their systems, data, or business operations, including those that impact us. Because our Sponsor services clients across multiple industry verticals many of which are higher-profile cyber targets themselves including financial services, technology, government institutions, healthcare and life sciences, this also may increase the risk that they and we are subject to cyber-attack incidents. As noted above, our Sponsor, Advisor and we have experienced various types of cyber-attack incidents which thus far have been contained and not material to us. Our Sponsor and Advisor continue to implement new controls, governance, technical protections and other procedures to mitigate against the risks of a cybersecurity event. Our Sponsor also maintains a cyber risk insurance policy that provides coverage to us but the costs related to cybersecurity threats or disruptions may not be fully insured. We may incur substantial costs and suffer other negative consequences such as liability, reputational harm and significant remediation costs and experience material harm to our business and financial results if we, our Sponsor, Advisor or other vendors or suppliers we engage, fall victim to other successful cyberattacks. Our Advisor s management and our board of directors provide significant oversight of risks, including those from cybersecurity threats, and are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents applicable to us. Our board of directors receives at least annual reports from our Sponsor s CISO and other members of our Advisor s management on our information security program including top cybersecurity risks, cybersecurity strategy, information system controls and related security measures and improvements, cyber incident response plan, cyber incidents and cyber defense metrics, and cyber security protocols and trainings. 45 Table of Contents

Company Information