GTJ REIT, INC. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

GTJ REIT, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 15:53:45 EDT.

Filings

10-K filed on 2024-03-21

GTJ REIT, INC. filed an 10-K at 2024-03-21 15:53:45 EDT
Accession Number: 0000950170-24-034640

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are committed to ensuring the confidentiality, availability and integrity of our data. Our cybersecurity strategy is informed, maintained and updated through various methodologies and external resources. As the concerns and issues evolve in cybersecurity, we remain focused on resiliency and continuous improvement to help enhance our cyber posture. We regularly reevaluate the threat landscape and evolve our controls to address new vulnerabilities and threats. Risk Management and Strategy We regularly utilize information technology and data to operate our business. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to critical computer networks, third party hosted services, communications systems, software, and hardware. Our critical data includes confidential, personal, and proprietary data (collectively Information Assets ). The Company s risk management program is designed to manage identified material risks, which would include material cybersecurity risks. We rely on a team of internal and external resources, including external information technology and information security vendors to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats. Accordingly, we work with third party providers to assess the environment to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on the risk assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business. We implement and maintain various technical, physical and organizational controls designed to manage and mitigate material risks from cybersecurity threats to our Information Assets. The cybersecurity risk management and mitigation measures we implement for certain of our Information Assets include: policies and procedures designed to address information security, including external assessments to consider our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls documented risk assessments encryption of data network security controls physical and electronic access controls asset management, tracking and disposal systems monitoring and employee security training. We also have a cybersecurity training and compliance program in place for the Company whereby our connected employees are tested routinely through simulated phishing attempts. We have not identified known risks, including as a result of prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, refer to Part I, Item 1A. Risk Factors for additional information about cybersecurity-related risks. Governance Our cybersecurity risk assessment and management processes are implemented and maintained by Company management. The Chief Executive Officer, President and Chief Financial Officer discuss the cybersecurity programming. The Chief Financial Officer is responsible for the ongoing engagement of outside third parties to evaluate and update controls as recommended. Management is also responsible for working with appropriate third party vendors to evaluate the Company s risk profile and to update the controls for the Company s technology resources. Management is tasked with integrating cybersecurity considerations into the Company s overall risk management strategy, focus on appropriate priorities and approving related budgets, helping prepare for cybersecurity incidents, and soliciting and reviewing security assessments. Our board of directors addresses the Company s cybersecurity risk management as part of its general oversight function. The Board is responsible for overseeing the Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Board also has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation. Management is involved with the Company s efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures. Management participates in cybersecurity incident response by anticipating and directing the Company s response to cybersecurity incidents. Our cybersecurity incident response processes are designed to identify and escalate certain cybersecurity incidents and vulnerabilities to members of management. Depending on the circumstances, management may work with third party experts and escalate to the Board as necessary. 28

Company Information