STORE CAPITAL LLC 10-K Cybersecurity GRC - 2024-03-14

Page last updated on July 16, 2024

STORE CAPITAL LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 19:25:44 EDT.


10-K filed on 2024-03-14

STORE CAPITAL LLC filed a 10-K at 2024-03-14 19:25:44 EDT
Accession Number: 0000950170-24-031778

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. Our board of directors is actively involved in oversight of our Company’s risk management, and cybersecurity represents an important component of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are fully integrated into our risk management approach and are based on recognized frameworks established by the Committee of Sponsoring Organizations of the Treadway Commission 2013 Framework. In general, our Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents if they occur. Risk Management and Strategy As one of the critical elements of our overall risk management approach, our cybersecurity program is focused on the following key areas: Governance : As discussed in more detail under the heading “Governance” below, our board of directors’ oversight of cybersecurity risk management is supported by our Senior Vice President of Information Technology, who leads our cybersecurity team, which is responsible for publishing cybersecurity policies and standards, conducting annual risk assessments and ensuring our compliance. Collaborative Approach : We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that would provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards : We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, antimalware functionality and access controls, which are evaluated and improved through vulnerability assessments, audits and cybersecurity threat intelligence. Incident Response and Recovery Planning : We have established and maintained comprehensive incident response and recovery plans that fully address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management : We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : We provide regular, mandatory training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. Further, we perform ongoing phishing simulations to help employees recognize, avoid and report potential threats that could compromise critical business data and systems. Additional mandatory training is provided to employees who engage in potentially compromising activities during these simulations. 14 We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We may engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to those charged with governance by our Senior Vice President of Information Technology, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these activities. Governance Our board of directors oversees our risk management approach, including the management of risks arising from cybersecurity threats. Our board of directors receives periodic presentations and reports on cybersecurity risks, which address a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Our board of directors also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On a periodic basis, our board of directors discusses our Company’s approach to cybersecurity risk management with management. Our board of directors, in connection with management led by our Senior Vice President of Information Technology, work collaboratively across our Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout our Company are deployed to address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, our board of directors monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real-time and report such threats and incidents to management when appropriate. Our Senior Vice President of Information Technology has served in his role since January 2020 and has managed STORE’s Information Technology department since joining the Company in January of 2015. In these roles, he has been instrumental in the evolution and implementation of our business systems and technical infrastructure as well as the development and enforcement of Sarbanes-Oxley (SOX) compliance processes and reporting. Prior to joining STORE, he was the Chief Information Officer for Southwest Network, a non-profit organization for mental and behavioral health services serving the greater Phoenix, Arizona community. He has over 35 years of experience in the information technology industry serving in several technical and leadership positions. Cybersecurity Threats As of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats have had or are reasonably likely to have a material effect on us, our business strategy, results of operations, or financial condition.

Company Information

SIC DescriptionReal Estate Investment Trusts
CategoryNon-accelerated filer
Fiscal Year EndDecember 30