FIRST INDUSTRIAL LP 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

FIRST INDUSTRIAL LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 16:58:29 EST.

Filings

10-K filed on 2026-02-11

FIRST INDUSTRIAL LP filed a 10-K at 2026-02-11 16:58:29 EST
Accession Number: 0000921825-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk is a critical and continuously evolving area of focus for us, and significant resources are devoted to protecting and enhancing the security of computer systems, software, networks and other technology assets. We have controls and systems in place to safely receive, protect and store information; collect, use, and share that information appropriately; and detect, contain and respond to data security and denial-of-service incidents. We identify and manage material cyber risks by continually assessing external threats to understand evolving threats, emerging issues and industry trends. Cybersecurity is an integral part of the Company's enterprise risk management function, which identifies, monitors and mitigates business, operational and legal risks. We view our main cybersecurity risks as attempts to gain unauthorized access to our computer systems and data (including that of third parties to whom we owe a duty of care) through malware, ransomware, phishing, social engineering, insider threats and other malicious activities or disruptions to our information technology networks and systems. Our processes and controls to mitigate these risks, categorized by six functional areas: Identify, Protect, Detect, Respond, Recover and Govern, are described below. The first step in our process is to identify the risks related to our data, personnel, devices, systems and facilities. In connection with this phase, we: - Conduct enterprise-wide risk assessments that include information technology risk areas, supplemented by periodic technical assessments from independent security and technology firms; - Maintain a matrix that delineates roles and responsibilities for information security supporting critical financial applications, databases and networks; - Participate in various consortiums, associations and groups to share threat intelligence, regulatory updates and best practices; - Conduct mandatory information security training for all employees and regularly evaluate their awareness and adherence to our information security recommendations; and - Publish our computer usage policy on our intranet and require employees to acknowledge the policy annually. Next, we implement controls and processes designed to protect against identified risks. In connection with this phase, we: - Maintain access controls that restrict network and system access to authorized users, including privileged access segregation, password encryption via a password manager, timely deactivation of terminated employees and two-factor authentication for remote access; - Maintain physical security at our data center and backup recovery sites, including door access control systems and surveillance; - Prevent data intrusion to maintain confidentiality and integrity of our data by deploying automated monitoring systems that continuously assess server and network capacity and performance; applying patch management controls on key financial software with routine vulnerability scans; maintaining and updating change logs for all key financial software; requiring pre-approval for all major hardware and infrastructure changes prior to production migration; ensuring all remote access is fully encrypted; and implementing internal firewalls to limit access to sensitive systems and applications; and - Maintain controls and processes over third-party payments, using a combination of internal controls around the setup, maintenance and archiving of records to prevent fraud and minimize the risk of erroneous payments. 20 We continually monitor our information systems in order to detect anomalous activity and verify the effectiveness of our protective measures. In connection with this phase, we: - Operate extended detection and response software on our network at all times, company-wide endpoint security monitoring and active threat remediation software that is fully supported by staff and backed by a prevention warranty; - Engage independent cybersecurity specialists to periodically perform penetration testing (simulated cyberattacks to assess our ability to resist potential threats and attacks from external and internal sources), cyber dwelling assessments (to determine if a threat actor has accessed or could access our network and compromise confidential information) and tabletop exercises to evaluate our ability to react to an attack ; - Evaluate the technical control structure and competency of all new third-party software vendors and review "cloud" vendors' Service Organization Control (SOC) reports or reasonable substitutes to assess the maturity of their security controls ; and - Conduct monthly mock phishing exercises with employees and provide additional training as needed. We maintain comprehensive plans to respond to detected cybersecurity incidents, including: - Written playbooks providing sequential instructions on appropriate steps to take in the wake of various cyberattacks, including ransomware attacks, data breaches, loss of third-party data and partial and full disaster recovery scenarios; - Retention of a leading incident response provider to assist with security incidents, as well as an attorney who serves as our data breach coach. This attorney specializes in data privacy and cybersecurity, and maintains relationships with forensics investigators, crisis communications professionals and other specialized service providers we may engage in the event of a data breach; and - Escalation and notification protocols aligned with legal and regulatory obligations. To recover systems or assets affected by a cybersecurity incident, we maintain and regularly test full system backups stored in multiple secure locations, both online and offline. As of the date of this Form 10-K, we have not experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business, operations or financial condition. However, there can be no guarantee that we will not experience such an incident in the future. See Risk Factors for more information on our cybersecurity risks. Cybersecurity oversight begins with strong governance. The Company manages cybersecurity risk as part of its overall enterprise risk management program, with clear accountability and defined responsibilities across management and the Board of Directors. The Chief Information Officer (who reports directly to our Chief Executive Officer), supported by Senior Director of Information Technology, our Senior Director of Business Systems Applications and the Information Technology Security Manager, directs the Company's cybersecurity strategy, daily operations, and incident response preparedness. Management reviews cybersecurity policies and procedures at least annually with the Audit Committee and reports on emerging risks, control performance, and mitigation progress. The Company also manages third party and supply chain security risks through vendor due diligence reviews and contractual requirements. The Audit Committee, as delegated by our Board of Directors, oversees cybersecurity matters, receiving regular reports from management on risk assessments, control initiatives, and incident response activities. The Audit Committee Chairperson also participates in our annual enterprise-wide risk assessment process. In addition to the foregoing, from time to time, the Board of Directors is updated on the Company's internal control systems with respect to information technology security. 21

Company Information