RREEF Property Trust, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

RREEF Property Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:20:02 EDT.

Filings

10-K filed on 2024-03-14

RREEF Property Trust, Inc. filed an 10-K at 2024-03-14 17:20:02 EDT
Accession Number: 0001542447-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As an externally managed company, our day-to-day operations are managed by our advisor and our executive officers under the oversight of our board of directors. Our executive officers are senior professionals of our advisor, our advisor is a subsidiary of DWS, and DWS is majority owned by Deutsche Bank. Deutsche Bank and its affiliates are collectively referred as Deutsche Bank Group. DWS aligns its information security management system to the latest information security policies defined by Deutsche Bank. The DWS Information Security Framework is managed under Deutsche Bank s framework. As such, we are reliant on Deutsche Bank Group for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details of the cybersecurity program applicable to Deutsche Bank Group. Cybersecurity governance Responsibility for cybersecurity matters sits within the Chief Security Office, where it forms the first Line of Defense within Deutsche Bank s Three Lines of Defense model. The Chief Security Officer has delegated authority from the Deutsche Bank Management Board ( Management Board ) and reports directly to the Chief Technology, Data, and Innovation Officer, who is a member of the Management Board. Deutsche Bank s Chief Security Officer has served in various roles in information security for more than 20 years. This includes the role as global Chief Information Security Officer ( CISO ) / Chief Security Officer ( CSO ) for three different large European financial institutions and a partner position in a global strategy and consulting firm, leading security work for financial service clients. The Chief Security Officer is supported by information security role holders at various seniority levels to help ensure that security requirements are met from a regional, divisional, and technical perspective. The Chief Security Office develops Deutsche Bank Group s security strategy and oversees its implementation and operationalization globally via the organizational set-up, governance, and implemented security policies. The security strategy is reviewed continually to address changes in the threat landscape, technology, the regulatory environment, the overall corporate and IT strategy, and other internal and external parameters. The Chief Security Office maintains a comprehensive metrics and reporting framework, underpinned by an extensive data set allowing for global, regional, and divisional views. Security metrics and reporting provided to Deutsche Bank Group s governance forums at all seniority levels support appropriate security risk awareness and decision taking. The Management Board receives a comprehensive quarterly information security risk posture report, as well as ad hoc information if required. Furthermore, the Chief Security Officer provides regular updates on material topics relating to security to the Supervisory Board s Committee responsible for technology, data and innovation. Information security risk is managed as an operational risk under the non-financial risk management framework of Deutsche Bank Group. The Chief Security Office, in its responsibility as the first line of defense, executes against 49 Table of Contents the non-financial risk management framework and leverages its various instruments whereas the non-financial risk management as the second line of defense provides oversight, review, and challenge. Accordingly, part of the non-financial risk committee s remit is to oversee and govern Deutsche Bank Group s cybersecurity risk profile, remediation programs and risk tolerance. Should a cybersecurity incident occur, Deutsche Bank Group has an established protocol for communicating such incident to the divisions of Deutsche Bank Group that may be impacted, including chief security officers and division heads. Those personnel in turn will notify potentially affected groups further downstream as applicable, including down to us if any our or our stockholders’ information may be at risk. Deutsche Bank Group s security policy framework defines the core principles of security risk management and the fundamentals for security management. The complete framework is reviewed annually. The framework is governed centrally and applied globally across all product groups and business and infrastructure divisions. The framework includes a clear description of the risk tolerance related to information security. It also sets out the roles, responsibilities and accountabilities of key personnel identified to manage information security risk the strategy and measures to cope with information security breaches, and related communication procedure. Additionally, Deutsche Bank Group s Information Security Management System has been certified according to ISO 27001 for all information security domains defined in that standard since 2012. To maintain the ISO 27001 certification, Deutsche Bank Group performs a full recertification process every three years, with the latest taking place in 2021. In the years a full certification process does not take place, the Deutsche Bank Group performs a certification-follow-up, designed to ensure compliance between certification intervals. The latest certification follow-up was in 2023. The next full recertification will take place in September 2024. Deutsche Bank Group employs a variety of mechanisms to self-identify areas for improvements and control enhancements. These include security testing, security problem management and lessons learned. The effectiveness of Deutsche Bank Group s overall information security program is evaluated on a regular basis by third-party organizations that compare Deutsche Bank Group s approach with industry benchmarks. Deutsche Bank Group s independent internal audit function frequently includes the assessment of security controls in its audit plan. Identifying, assessing and managing cybersecurity threats We and Deutsche Bank Group operate in an environment with increasing levels of digitization and a continually evolving landscape related to cybersecurity threats. Due to the dynamics and complexity of the current environment, the Deutsche Bank Group is continuously monitoring the security threat landscape. Deutsche Bank Group vigilantly observes technological developments, the geopolitical landscape and economic impacts driving security risks and assesses their relevance for potential impacts to Deutsche Bank Group and the wider financial ecosystem. Deutsche Bank Group has a variety of prevention methods and controls in place, such as threat intelligence, data leakage prevention, cyber hygiene, and encryption solutions. These also include placing a strong emphasis on detection, backed by a robust incident-response process. Deutsche Bank Group actively shares best practices and threat information with national and international security organizations, government authorities, and peer organizations. These relationships help to ensure that Deutsche Bank Group s security technology and procedures reflect current industry best practices and keep pace with the threat environment. Deutsche Bank Group s security incident management covers cybersecurity events that may affect it and its subsidiaries, its clients, business partners, or employees. The related management and reporting processes performed with the involvement of compliance, legal and data privacy are designed to enable a quick and effective response to cyberattacks and information security threats. Further, if DWS is notified of an incident, then a communication protocol will be followed to notify affected or potentially affected parties internal and external to DWS, including notification to us if our data or our stockholders data is at risk. The audit committee of our board of directors is responsible for overseeing the implementation of the cybersecurity policies and procedures applicable to us, and related reporting. This includes quarterly reporting to our audit committee as well as ad hoc incident reporting whereby if we are notified of an incident, whether reported to us by Deutsche Bank Group or any of our third-party vendors, we will assess it and advise the audit committee of our board of directors depending on the severity of the incident. The audit committee can, in its discretion and at our expense, retain special legal or other consultants to advise the audit committee or to assist in the conduct of any investigation, subject to our board of directors determination to allocate assets to pay for such investigation. 50 Table of Contents To address evolving security threats, Deutsche Bank Group continually reviews and enhances its information security controls into every layer of technology, including identity and access management, data, infrastructure, devices, and applications. This is complemented by organizational controls and security training and awareness. The purpose of this layered approach is to provide end-to-end protection, as well as multiple opportunities to detect, prevent, respond to, and recover from cyberthreats. Security risks are assessed on a regular basis, at least annually, taking internal as well as external risk drivers and events dynamically into account. A thorough analysis of the external threat landscape, which leverages industry standard threat assessment frameworks, provides a foundation for the assessment of financial industry relevant risk scenarios. These are evaluated against Deutsche Bank Group s capabilities to cope with these risks. In case of emerging developments, additional risk reviews are conducted. Reliance on third parties products and services that support critical operations can affect the risk posture, because these can be the target of new and evolving cybersecurity attacks. This risk, along with expanded regulatory requirements, has necessitated an increased use of technology to better identify information security risks across third parties and where necessary, pro-actively perform outreach with them. Deutsche Bank Group has a third-party risk management process designed to identify, monitor, and mitigate risks arising from working with third parties, which includes oversight of third parties operations related to the services provided. In addition, where appropriate, Deutsche Bank Group will seek to include in its contractual arrangements with certain third-party vendors provisions addressing best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit and test such vendors cybersecurity programs and practices. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on Deutsche Bank Group in managing these risks, see Part 1. Item 1A. Risk Factors General Risk Factors Cybersecurity risks and data protection could result in the loss of data, interruptions in our business, damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations in this Annual Report on Form 10-K.

Company Information