BGO Industrial Real Estate Income Trust, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

BGO Industrial Real Estate Income Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 17:14:23 EDT.

Filings

10-K filed on 2024-03-21

BGO Industrial Real Estate Income Trust, Inc. filed an 10-K at 2024-03-21 17:14:23 EDT
Accession Number: 0001410578-24-000263

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy As an externally managed REIT, our day-to-day operations are managed by the Adviser under the oversight of our board of directors. Our executive officers are senior professionals of the Adviser. As such, we are reliant on the Adviser to provide to us with information regarding its cybersecurity program that is relevant to us. The Adviser maintains a comprehensive cybersecurity program, including policies and procedures designed to protect its systems, operations, and the data utilized and entrusted to it, including by us, from anticipated threats or hazards. The 78 Table of Contents Adviser utilizes a variety of protective measures as part of its cybersecurity program. These measures include, where appropriate, physical and digital access controls, patch management, identity verification and mobile device management software, employee cybersecurity awareness and best practices training programs, security baselines and tools to report anomalous activity, and monitoring of data usage, hardware and software, among others. The Adviser tests its cybersecurity defenses regularly through automated and manual vulnerability scanning to identify and remediate critical vulnerabilities. In addition, it conducts tests to validate its security posture. Further, the Adviser engages in cyber incident tabletop exercises and scenario planning exercises involving hypothetical cybersecurity incidents to test its cyber incident response processes. Tabletop exercises are conducted by the Adviser s information technology security team in collaboration with outside service providers as appropriate and includes members of the Adviser s senior management and Legal/ Compliance team. Learnings from these tabletop exercises and any events that the Adviser experiences are reviewed, discussed, and incorporated into its cybersecurity framework as appropriate. In addition to the Adviser s internal exercises to test aspects of its cybersecurity program, the Adviser periodically engages independent third parties to assess the risks associated with its information technology resources and information assets. Among other matters, these third parties analyze data on the interactions of users of the Adviser s information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of the cybersecurity systems and processes. The Adviser has a comprehensive cybersecurity incident response plan (the IRP ) designed to inform the proper escalation (including, as appropriate, to our executive officers and other representatives of the Adviser or its affiliates) of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate the event and determine the extent of external advisor support required, including from external counsel, forensic investigators, and/or law enforcement. The IRP sets out ongoing monitoring or remediating actions to be taken after resolution of an incident. The IRP is reviewed at least annually. The Adviser maintains a cybersecurity risk management process to identify and mitigate risks that impact the firm. The Adviser s Vice President, IT Security periodically discusses and reviews cybersecurity risks and related mitigants with the Adviser s Information Security Steering Committee and incorporates relevant cybersecurity risk updates and metrics. The Adviser employs a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of data accessed or processed by a third-party vendor. In the last three fiscal years, we have not experienced a material information security breach incident, and the expenses we have incurred from information security breach incidents have been immaterial. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on the Adviser and its affiliates in managing these risks, see Part 1. Item 1A. Risk Factors Cybersecurity risks could result in the loss of data, interruptions in our business, damage to our reputation and subject us to regulatory actions, increased costs and financial losses, each of which could materially adversely affect our business and results of operations. in this Annual Report on Form 10-K. Cybersecurity Governance The Adviser has a dedicated cybersecurity team, led by its Vice President, IT Security, who works closely with the Adviser s Information Security Steering Committee , to develop and advance the firm s cybersecurity strategy, which applies to us. The Adviser s Information Security Steering Committee includes its Chief Information Officer, Chief Risk Officer, and General Counsel. The Vice President, IT Security has extensive experience in cybersecurity and technology and is responsible for all aspects of cybersecurity across the Adviser. He has a has more than 26 years of experience in diversified information technology and security. He holds a Bachelor’s degree in Electronics and Communication Engineering.He possesses industry-recognized certifications such as CISSP, CRISC, and CISM 79 Table of Contents The Adviser conducts periodic cybersecurity risk assessments, including assessments or audits of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The Vice President , IT Security reviews the cybersecurity framework annually as well as on an event-driven basis as necessary. The Vice President, IT Security also reviews the scope of the cybersecurity measures periodically, including in the event of a change in business practices that may implicate the security or integrity of the Adviser s information and systems. Our board of directors is responsible for understanding the primary risks to our business, including any cybersecurity risks, and has delegated such responsibility for such oversight of cybersecurity matters to the audit committee. The audit committee is responsible for reviewing periodically our and the Adviser s information technology security controls and related compliance matters, with management. The board of directors and audit committee may also receive periodic updates from management as to our and the Adviser s cybersecurity risks and the Adviser cybersecurity program developments.

Company Information