Nuveen Global Cities REIT, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Nuveen Global Cities REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 10:15:44 EDT.

Filings

10-K filed on 2024-03-22

Nuveen Global Cities REIT, Inc. filed an 10-K at 2024-03-22 10:15:44 EDT
Accession Number: 0001628280-24-012652

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Program Overview As an externally managed company, our day-to-day operations are managed by our Advisor and our executive officers under the oversight of our board of directors. Our executive officers are senior Nuveen Real Estate professionals and our Advisor is a subsidiary of TIAA. As such, we are reliant on TIAA for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details TIAA has provided to us regarding its cybersecurity program that are relevant to us. TIAA has a program and formal processes in place to assess, identify, and manage material risks from cybersecurity threats. The Company s business is dependent on the communications and information technology ( IT ) systems of TIAA and other third-party IT service providers to TIAA. TIAA manages the Company s day-to-day operations and has implemented a cybersecurity program that applies to the Company and its operations. TIAA has instituted a cybersecurity program designed to identify, assess, and mitigate cyber risks applicable to the Company. This cyber risk management program involves risk assessments, implementation of security measures, and ongoing monitoring of systems and networks, including networks on which the Company relies. TIAA actively monitors the current cyber threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats, including material risks faced by the Company in connection with its day-to-day commercial real estate, investment, and other operations. TIAA has a comprehensive cyber attack response plan designed to inform the proper escalation (including, as appropriate, to certain of our executive officers and other representatives of our Advisor) of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a Priority Incident Response Team ( PIRT ) composed of individuals from several internal technical and managerial functions investigates, remediates the event, and determines the extent of external advisor support required, including from external counsel, forensic investigators, and law enforcement. The cyber attack response plan sets out ongoing monitoring or remediating actions to be taken after resolution of an incident. The Company relies on TIAA to engage external experts, including third-party IT service providers such as cybersecurity assessors, consultants, and auditors, to evaluate cybersecurity measures and risk management processes, including those applicable to the Company and other products, subsidiaries, and affiliates of TIAA. The Company also relies on TIAA s risk management program and processes, which include cyber risk assessments. The Company depends on and engages various third parties and service providers, including suppliers, custodians, transfer agents, property management companies, and joint venture partners, to operate its commercial real estate and investment business. The Company relies on the expertise of risk management, legal, information technology, and compliance personnel of TIAA when identifying and overseeing risks from cybersecurity threats associated with the Company s use of such entities. The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company s business strategy, operational results, and financial condition are regularly evaluated. During the 12-month period covered by this report, TIAA has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition. Cybersecurity Governance The Company’s board of directors provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The board receives periodic updates from the Company s Chief Compliance Officer regarding the overall state of TIAA s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. TIAA s management, including its Chief Information Security Officer, is responsible for assessing and managing material risks from cybersecurity threats to the TIAA organization, including the Company. TIAA s Chief Information Security Officer and 47 Table of Contents cybersecurity leaders have significant expertise in in this area, including in IT and cybersecurity engineering as well as cybersecurity leadership experience in other major financial institutions. Management of the Company is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company, including through the receipt of notifications from service providers and reliance on communications with risk management, legal, IT, and/or compliance personnel of TIAA.

Company Information