EQT Exeter Real Estate Income Trust, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

EQT Exeter Real Estate Income Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 12:46:52 EDT.

Filings

10-K filed on 2024-03-29

EQT Exeter Real Estate Income Trust, Inc. filed an 10-K at 2024-03-29 12:46:52 EDT
Accession Number: 0001946997-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As an externally managed company, our day-to-day operations are managed by our Adviser and our executive officers under the oversight of our board of directors. We rely on IT systems, data hosting and other hardware and software platforms which are hosted by EQT, the parent company of our Advisor. As such, we are reliant on EQT for assessing, identifying and managing cybersecurity risk as part of its overall Risk Management Framework. Cybersecurity risk is an important and continuously evolving focus for us, EQT, and EQT s affiliates. EQT maintains a cybersecurity program as part of its Risk Management Framework, including policies and procedures designed to protect its systems, operations, and the data utilized and entrusted to it, including by EQRT, from anticipated threats or hazards. EQT utilizes a variety of protective measures as a part of its and our cybersecurity program. These measures include: IT General Controls: including physical and digital access controls, patch management, identity verification and mobile device management. Risk Identification: EQT utilizes a combination of internal processes and third-party services to identify potential information security vulnerabilities and threats. This includes threat intelligence, vulnerability management and various security assessments. Risk Assessment: Identified risks are assessed and ranked on at least an annual basis using a likelihood and impact assessment as part of EQT’s enterprise risk framework. In addition, the security team has in place an information security risk management process through which risks are assessed, managed and reported upon continuously. Risk Management: Risks are managed based on their severity in relation to the established risk appetite. EQT has in place several risk-mitigating controls, blending preventative, detective, and reactive measures with an emphasis on identity verification, least privilege, micro-segmentation, and a strong security culture. To this foundation, EQT adds critical components like data protection endpoint security, secure configurations, advanced monitoring 62 and threat detection, robust incident and business continuity plans for effective response. EQT continuously modifies its controls in line with our current risk landscape. Incident Management: EQT has implemented a security incident response plan for prompt and effective handling of cyber incidents. This plan is executed by a tiered response team: a 24/7 Security Operations Center serves as the first line of defense, followed by EQT’s internal security team as the second tier, and an expert incident response and forensics firm as the third. Additional support from external legal counsel is available when necessary. The strategy ensures collaboration with key functions like Risk, Regulatory & Compliance, Corporate Legal and Communications. Detailed playbooks within the plan outline specific actions for various security incident types. At the corporate level, an incident reporting and management process involves EQT’s Chief Information Security Officer (“CISO”). Should an incident pertain to cybersecurity, it activates the security incident response plan. Ongoing Testing: EQT’s comprehensive program encompasses a range of measures and enterprise-level drills. This includes conducting phishing test campaigns, mandatory annual training, annual penetration tests, and disaster recovery tests to ensure EQT’s systems resilience. At the enterprise level, EQT also holds an annual tabletop exercise for EQT’s core and extended crisis management teams, simulating various hypothetical scenarios to assess our preparedness and response strategies. EQT’s technology systems and those of its, the Adviser’s and our third-party service providers are vital for sustaining our operations and strategic initiatives. To manage the risks inherent in these vendor relationships effectively, EQT has established a series of processes. EQT and the Adviser engage only with third parties that align with our stringent cybersecurity standards, demanding that these providers demonstrate strong capabilities in key areas such as data protection, incident preparedness, continuity, and vendor risk management. Adopting a risk-based strategy allows EQT to prioritize its efforts, focusing on the most critical vendors to ensure its attention is directed where it is most needed. In regards to EQT’s most critical vendors, EQT requires substantial and credible third-party assurances, such as Service Organization Control Type 2 certifications (“SOC 2”) and International Organization for Standardization (“ISO”) certifications, ensuring they meet its high cybersecurity standards. Further, the contracts for EQRT, the Adviser and EQT include stringent data protection and liability clauses in the event of a breach. Governance and Oversight EQT s cybersecurity governance structure is led by the CISO, responsible for EQT s cybersecurity program. The CISO has 15 years of experience working with cybersecurity, business continuity, risk management and technology across several industries and holds a Master and a Bachelor of Computer Science and Engineering. The CISO heads the Security and Platform Engineering Team ( SPET ) of dedicated information security professionals and site reliability engineers, concentrating on the security and stability of the technical platform. SPET collaborates closely with other technology teams, such as the EQT information technology operations team. The CISO reports to the Information Security Steering Committee (the Steering Committee ), comprised of select Executive Committee members of EQT. The Steering Committee receives quarterly updates from the CISO. Furthermore, the CISO also reports annually to EQT’s Audit Committee and twice a year to a member of EQT’s board appointed to oversee cybersecurity risk. In addition, the Group Risk Function reports to the Risk Committee at least three times per year. At the EQRT level, oversight of cybersecurity is the responsibility of our Board of Directors, receiving at least annual updates on EQT’s cybersecurity program and receiving prompt notice regarding any material cybersecurity incidents that are relevant to EQRT, as well as ongoing updates regarding such incidents. EQT s cybersecurity program and processes also provide incident escalation to our Chief Financial Officer for any security incidents that meet pre-established reporting thresholds. EQRT’s Chief Financial Officer determines if any cybersecurity events have taken place at the EQRT level and assesses whether those events are material to EQRT based on quantitative and qualitative criteria determined by EQRT’s management, supported by external advisors. When determining the materiality of a cybersecurity event, EQRT considers the actual and potential impact on the EQRT operations, strategy, performance, cash flows and financial condition. EQRT adheres to EQT s Incident Handling Playbook and employee awareness training requirements. Both EQT and its Adviser remain committed to adopting the highest cybersecurity standards and practices, continuously enhancing their cybersecurity capabilities, and prioritizing the safeguarding of company and customer data from potential threats. In the last fiscal year, EQT and EQRT have not experienced any cybersecurity incidents, that have materially affected us or are reasonably likely to have materially affected our operations, strategy, performance, cash flows or financial health. See Part I, Item 1A, Risk Factors Risks Related to Our Organization Structure Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of 63 our confidential information and/or damage to our business relationships, all of which could negatively impact our business, financial condition and operating results.

Company Information