Broad Street Realty, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Broad Street Realty, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:40:37 EDT.

Filings

10-K filed on 2024-04-01

Broad Street Realty, Inc. filed an 10-K at 2024-04-01 16:40:37 EDT
Accession Number: 0000950170-24-039408

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity represents a critical component of our overall approach to risk management. Our cybersecurity policies, standards and practices are fully integrated into our enterprise risk management ( ERM ) approach, and cybersecurity risks are among the core enterprise risks that are subject to oversight by our board of directors. Risk management and Strategy We have implemented several cybersecurity processes and controls to aid in our efforts to assess, identify, and manage material risks from cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We have engaged a third-party information technology ( IT ) and cybersecurity firm who serves as our dedicated IT and cybersecurity team to help us oversee, implement and 34 manage these processes and controls. This IT and cybersecurity firm is independently audited on an annual basis and has a System and Organization Controls Audit certification. Processes and controls we have implemented with the assistance of our third-part IT and cybersecurity team to assess, identify, manage and protect against material risks from cybersecurity threats include the following: perform 24/7 security monitoring through an automated detection software managed by our third-party IT and cybersecurity firm conduct regular phishing email training for all employees with access to corporate email and other systems to enhance awareness and responsiveness to such possible threats and requiring employees, as well as third parties who provide services on our behalf, to treat information and data with care. We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to our Incident Response Team. The Incident Response Plan is designed to analyze, contain and remediate any cyber incidents that may circumvent existing safeguards. The Incident Response Plan encompasses a systematic approach to evaluate the materiality of incidents, execute appropriate containment and remediation measures, and evaluate internal and external communication and disclosure protocols. We also maintain data backup procedures in the event of a cybersecurity incident. The Incident Response Plan is evaluated at least annually. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. We face risks from cybersecurity threats that, if realized, could have a material adverse effect on us including an adverse effect on our business, financial condition and results of operations. See Risk Factors Risks Related to Our Business and Properties Cybersecurity incidents or other technology disruptions could negatively impact our business, our relationships, and our reputa tio n. Cybersecurity Governance As described above, we have engaged a third-party IT and cybersecurity firm to which we have delegated primary responsibility to oversee, implement and manage our processes and controls to assess, identify and manage risks from cybersecurity threats. Management receives monthly reports from the third-party IT and cybersecurity firm regarding cybersecurity incidents and any necessary remedial actions, data security posture and cybersecurity risk management processes and strategies. Management also meets quarterly with the third-party IT and cybersecurity firm to discuss technology and cybersecurity policies and procedures and risks and remediation actions. Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity risk strategy and governance and of other information technology risks to the audit committee. As such, our audit committee is responsible for overseeing our overall risk assessment and risk management program as well as our policies and practices related to our information technology systems, information security and cybersecurity risks. Management is responsible for the day-to-day assessment and management of cybersecurity risks. Management works with the third-party IT and cybersecurity firm to identify, assess and manage cybersecurity risks. Our management team includes the chief executive officer and chief financial officer, each of whom has over twenty years of experience in supervising, managing, underwriting, owning, operating and assessing the risks of commercial real estate investments and commercial real estate operating companies. The audit committee reviews at least annually our enterprise risks and related risk management program. In addition, on a quarterly basis, the audit committee receives a report from management on our cybersecurity threat risk management and strategic process covering topics such as cybersecurity incidents and any remedial actions, if needed, data security posture and the results of third-party risk assessments as well as our cybersecurity risk management processes and strategies. Additionally, management would notify the chair of the audit committee following any cybersecurity incident meeting specified security levels, and the audit committee would review management’s materiality assessment regarding any cybersecurity incident requiring disclosure to the SEC. Members of our board of directors that are not members of the audit committee are also kept apprised of material risks from cybersecurity threats and our related risk management activities.

Company Information