HINES GLOBAL INCOME TRUST, INC. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

HINES GLOBAL INCOME TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 12:32:20 EDT.

Filings

10-K filed on 2024-03-27

HINES GLOBAL INCOME TRUST, INC. filed an 10-K at 2024-03-27 12:32:20 EDT
Accession Number: 0001585101-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CyberSecurity We rely on Hines, our Sponsor, for the implementation of cybersecurity policies, standards and practices. Hines enterprise-wide cybersecurity policies, standards and practices follow recognized frameworks established by the National Institute of Standards and Technology and other applicable industry standards. Hines has robust cybersecurity systems and policies in place and generally approaches cybersecurity threats through a cross-functional, multilayered approach, which is described below. Risk Management and Strategy The Hines cybersecurity program focuses on the following areas: Vigilance: Hines cybersecurity threat operations function around the clock to identify, prevent and mitigate cybersecurity threats and respond to any incidents timely. Systems Safeguards: Hines deploys systems safeguards that are designed to protect our information systems from cybersecurity threats, including email filtering, website filtering, virus protection, disk drive encryption, multi-factor authentication, mobile device management, and robust network equipment, which are evaluated and improved through ongoing penetration tests and both internal and external audits. Collaboration: Hines utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. These collaborative efforts include relationships with security operation center service and brand protection providers as well as cloud-based backup service providers. Third-Party Risk Management: Hines utilizes a risk-based approach to cybersecurity risks presented by third parties, including the systems of third parties that could adversely impact our business. Training: Hines provides periodic training for personnel regarding cybersecurity threats, such as cybersecurity awareness videos and phishing campaigns. Such training is adjusted to reflect the roles, responsibilities and information systems access of such personnel. Incident Response and Communication: Hines has formed an incident response team to address potential cybersecurity incidents. This team is composed of management personnel from Hines technology, operations, legal, risk management, internal audit and other key business functions and is responsible for informing Hines leadership, as necessary. The team also includes at least one of our officers to ensure that decisions regarding the disclosure and reporting of such incidents can be made by us in a timely manner, including communicating to our Board, if applicable. Governance Our Board oversees the implementation of Hines cybersecurity risk management program and receives periodic reports from Hines Chief Technology Officer (CTO) and Chief Information Security Officer ( CISO ) regarding the effectiveness of Hines cybersecurity risk management program. Additionally, our Board will receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds. Hines CISO and CTO are principally responsible for overseeing the cybersecurity risk management program, in partnership with other Hines leaders. The CISO has more than 30 years experience in the IT industry, with over 20 years spent working with cybersecurity design and implementation, as well as infrastructure, audit, design, operation, and as the head of Hines IT security and compliance practice. The CTO previously served as both Director and Vice President of Information Technology at Hines and has led several Hines technology implementations and strategic developments of proprietary applications and infrastructure. There have been no material cybersecurity threats or incidents nor are we aware of any cybersecurity risks reasonably likely to affect us, our business strategy, results of operations, or financial condition. However, future cybersecurity incidents could have a material impact on our business strategy, results of operations, or financial condition. 45 Table of Contents

Company Information