PROCACCIANTI HOTEL REIT, INC. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

PROCACCIANTI HOTEL REIT, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 12:20:11 EDT.

Filings

10-K filed on 2024-03-25

PROCACCIANTI HOTEL REIT, INC. filed an 10-K at 2024-03-25 12:20:11 EDT
Accession Number: 0001558370-24-003833

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company deploys advanced cybersecurity technologies and best practices to deliver a highly secure technology platform for its internal operations and hotels throughout its national portfolio. Our program is built around best practice guidance taken in part from both NIST and PCI DSS framework. Risk Management and Strategy We have engaged a third-party IT and cybersecurity firm to assist us in protecting us from cybersecurity threats. Our IT partner has been in business for over 33 years and has a national footprint of 175 offices nationwide. In addition to assessing our own cybersecurity preparedness and as part of our overall cybersecurity risk management framework, we also consider and evaluate cybersecurity risks associated with our use of third-party service providers. Processes and procedures include: TPG s Corporate IT footprint and systems are not used to process guest transactions. Corporate systems do not have connectivity to any hotels. All IT assets and infrastructure are monitored 24/7/365 through a combination of automated detection software, SIEM software and a fully staffed 24/7 SOC. We have continuous monitoring for viruses, intrusions, and malicious activities. We deploy a sophisticated blend of layered security that protects systems and data that exist or operate within partitioned/segregated networks. Employee cybersecurity training and phishing email training are required for all employees and is performed monthly to continually enhance awareness and responsiveness. We do not store any customer data input during the reservation process. The customer reservation systems are specified, implemented, and managed by the global hotel brands. Each hotel or operating asset within our portfolio is a standalone network. Therefore, if a security breach were to occur at one location, it is fully isolated from other properties or networks. We deploy stringent email filtering that prohibits incoming messages from insecure email systems (i.e., gmail, yahoo, aol, etc.) that are known to carry viruses, spyware, crypto ransom, etc. We perform regular internal and external penetration tests. We have in place a Cybersecurity Incident Response plan that dictates the process for responding to incidents and remediation of events. 60 Table of Contents We have relationships with third-party business partners to assist with cybersecurity as well as assess their cybersecurity risks. We utilize Self-Assessments using industry standards and benchmarks to identify cybersecurity incidents and threats that could potentially impact the company. Our IT internal controls are audited by an external audit firm as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls. We or our third-party manager currently maintain cybersecurity insurance policies that provide coverage for security incidents. Although the risks we face from cybersecurity threats are many and change daily, we have not experienced any cybersecurity incidents that have materially affected our operations, strategy, financial positions or operations. In addition, as of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations and financial condition. Despite the policies and procedures that have been implemented to ensure the integrity of our IT systems, we may not be effective in identifying and mitigating every risk in which we are exposed to, especially newly identified vulnerabilities. Furthermore, the hospitality environment requires that the hotels access information in third party environments that are managed, hosted, and provided by others. As such the company will have difficulties in anticipating and implementing preventive measures that mitigate the harm should a break occur. Malicious actors, which can operate on a larger and more sophisticated scale, are using various tools and methodologies to gain access to systems. Such attacks are ransomware, denial of service attacks, phishing, social engineering, and other cyberattacks. A breach of these systems either managed by us or a third party may result in the loss of business data, personal information, disruption of business. Governance Our board of directors are responsible for overseeing our policies and practices related to corporate governance including cybersecurity risks. On a quarterly basis, our board of directors and audit committee receive a report from management on our cybersecurity threat risk management processes and strategies. Outside of quarterly meetings, our board of directors and audit committee are notified following any cybersecurity incident and meet to address and identify the cybersecurity threat s severity levels. Our board of directors and audit committee also review management s materiality assessment regarding any cybersecurity incident requiring disclosure to the SEC. 61 Table of Contents

Company Information