Strategic Realty Trust, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Strategic Realty Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 14:15:03 EDT.

Filings

10-K filed on 2024-03-29

Strategic Realty Trust, Inc. filed an 10-K at 2024-03-29 14:15:03 EDT
Accession Number: 0001446371-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As an externally managed company, our day-to-day operations are managed by our advisor and our executive officers under the oversight of our board of directors. As such, we rely on our advisor s cybersecurity program, as discussed herein, for assessing, identifying, and managing material risks to our business from cybersecurity threats. Our cybersecurity program, as implemented by our advisor and overseen by our board of directors, is integrated into our overall risk management system, and included as part of our information technology security incident response plan. Due to the small size of our operations, our advisor has elected to outsource the information technology function to a third-party managed service provider, or the MSP, that specializes in fully managed information technology services and fully managed cybersecurity. The MSP is responsible for managing all of our advisor s hosted services, all of the computer and computer-related hardware and software used for our advisor to manage our operations, and all onsite and offsite backups. The MSP also provides managed security services designed to prevent cybersecurity threats, to identify and remediate vulnerabilities, to monitor systems 24/7, to protect data and systems, to detect potential intrusions and cybersecurity incidents, to quarantine systems should they be compromised, and to recover from business interruptions or other disasters. The MSP follows the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology of the U.S. Department of Commerce, to measure the maturity of the services it provides to us and its other clients. The MSP conducts ongoing cybersecurity training to ensure all employees are aware of cybersecurity risks and performs periodic phishing simulation testing for increased cyber resilience. Annually, the MSP conducts penetration testing to assess cybersecurity measures and to review the information security control environment and operating effectiveness. In addition, our advisor evaluates key third-party service providers before granting the service provider access to its information systems and has a process in place to ensure that future access is appropriate. Our assessment of risks associated with the use of third-party providers is part of the advisor s overall cybersecurity risk management framework. For any software platforms that are hosted by third parties, our advisor confirms the vendor maintains a System and Organization Controls ( SOC ) 1 report. While we have control, through our contract with the MSP, over our information systems, we do not have control over the information systems of third parties who provide services, and in particular certain property management services, at our commercial real estate properties. Although we confirm third party software platforms maintain a SOC 1 report, we rely on third parties for managing their cybersecurity risk. Our advisor maintains third-party cyber insurance and upon identification of a significant cyber incident, our advisor would notify its cyber insurance carrier and engage a third-party cyber forensic analysis vendor to assist in investigating and remediating the incident. As of the date of this Annual Report, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, our business is highly dependent on our ability to collect, use, store and manage organizational and property data. If any of our significant information and data management systems do not operate properly or are disabled, we could suffer a material disruption of our business or managing real estate, liability to tenants, loss of tenant or other sensitive data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events wholly or partially beyond our control, including disruptions of electrical or communications services, natural disasters, political instability, terrorist attacks, sabotage, computer viruses, deliberate attempts to disrupt our computer systems through “hacking,” “phishing,” or other forms of both deliberate or unintentional cyber-attack, or our inability to occupy our office location. As our advisor has elected to outsource our information technology functions to third-party providers, we bear the risk of having less direct control over the security and performance of those systems. 9 Table of Contents Governance As part of its responsibilities pursuant to our corporate governance guidelines, our board of directors oversees our policies with respect to risk assessment and risk management, including with respect to cybersecurity risks. The board of directors administers its risk oversight function by receiving regular reports from our executive officers on areas of material risk to us, which reports include any updates regarding cybersecurity incidents or other developments. As discussed above, we engage the MSP to assist us with the identification, monitoring and management of cybersecurity risks and rely on the expertise and knowledge of the MSP with respect to supporting our information technology network. The MPS reports periodically to our management team as necessary, including our Chief Executive Officer and Chief Financial Officer. These senior executive officers then brief our board of directors on security matters as required and no less frequently than annually. Our Chief Financial Officer, together with our advisor s Director of Human Resource is responsible for managing our cybersecurity risk and developing mitigation strategies and implementing controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should this occur.

Company Information