LXP Industrial Trust 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

LXP Industrial Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:41:24 EST.

Filings

10-K filed on 2026-02-12

LXP Industrial Trust filed a 10-K at 2026-02-12 16:41:24 EST
Accession Number: 0000910108-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We believe we maintain an information technology and cybersecurity program appropriate for a company our size taking into account our operations. Management and Board Oversight Our enterprise risk management framework was developed in conjunction with a third-party that objectively assessed key stakeholder responses to questionnaires on our operations and business functions, including information technology and cybersecurity. Our internal controls over financial reporting include key controls covering certain information technology and cybersecurity processes that are documented and tested annually. The Audit and Risk Committee of our Board of Trustees assists our Board of Trustees with the oversight of our information technology and cybersecurity strategy and initiatives. The Audit and Risk Committee also oversees our management in connection with regularly assessing our key risks and engaging in enterprise-wide risk management as they relate to cybersecurity and our technology and information systems, including with respect to strategies, objectives, capabilities, initiatives, policies and investments. Our Board of Trustees has determined that one of the members of our Audit and Risk Committee is an information technology/cybersecurity expert and has significant experience in, among other areas, emerging technologies and coordinating national security and technology policy. We employ a Director of Information Technology who works exclusively on information technology and cybersecurity matters and has significant related experience. Our Director of Information Technology reports to our Chief Operating Officer and General Counsel. Due to our size and the size of our employee base, we use third-party vendors to assist us with our network and information technology requirements. Since 2019, a national accounting and advisory firm has acted as our outsourced chief technology officer/chief information security officer ("CTO/CISO") and provided us with the following services: - Performed the chief security role and informed leadership of cybersecurity risks and the role of staff in protecting information, including, but not limited to: ◦ Monitored emerging risks, and suggested and oversaw implementation of mitigations; ◦ Oversaw security awareness and training programs; and ◦ Reported significant security events to leadership. - Guidance regarding incidence response, business continuity and disaster recovery program, strategy and testing. - Oversight and guidance on vendor risk management processes and individual vendor profiles. - IT strategy advice. - Monitored the relationship with our information technology managed services provider. - Technical, policy and procedure recommendations. Together with our Director of Information Technology, the CTO/CISO regularly reports to our COO and General Counsel on at least a bi-weekly basis and to the Audit and Risk Committee of our Board of Trustees on a quarterly basis. We outsource our information technology managed services to a third-party provider of customized private cloud solutions featuring virtual desktops and servers ("MS Provider"). Our Director of Information Technology, together with the CTO/CISO, oversees the MS Provider. We maintain a critical systems vendor management program with the assistance of a third-party provider of vendor risk intelligence data, including cybersecurity vulnerabilities, business health and credit risk. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, we utilize an incident response plan. Our incident response plan was developed to guide the internal response to incidents taking into account a recognized third party cybersecurity framework. Pursuant to our incident response plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the incident response team is made up of two teams: the information security response team and the business response team. The information security response team is generally led by our COO and includes the CTO/CISO, our Director of Information Technology, the MS Provider account manager and other members of our senior leadership. The business response team includes primary and secondary contacts for each impacted business area. These individuals assist with any necessary customer notification procedures. The incident response team regularly reports to senior management, including the CEO, in the event of a significant incident, and our COO and CFO provide reports to our Audit and Risk Committee and our Board of Trustees. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats Our cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from, and reporting cybersecurity events. Prevention and Preparation As noted above, we utilize the MS Provider for cloud-based information technology services. This third-party solution includes 24/7 monitoring and is consistent with a well-recognized cybersecurity framework. We have also engaged consultants to perform periodic cybersecurity assessments, which entail performing a qualitative current state evaluation of our cybersecurity program in line with specific domains within the recognized third-party framework. In addition, we take the following preventative measures: - We engage a third party to perform internal and external penetration tests on at least an annual basis. - We require multi-factor authentication and other enhanced security measures for our network and primary applications. - We utilize geolocation-based blocking and mobile device management. We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is employee training on cybersecurity around phishing, malware and other cyber risks. We use a third-party provider of security awareness training and simulated phishing for our email phishing reporting and periodic cyber security training. We maintain comprehensive business continuity and disaster recovery plans that are reviewed and updated at least annually and tested each year through tabletop exercises. We do not maintain any on-premises data or servers. We are exposed to risks from interactions with vendors and other third parties. To mitigate this risk, we perform due diligence on our vendors and third-party service providers. We believe we work with reputable vendors and require SOC reports from critical vendors and IT service providers. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications, employee notifications, and notifications from external parties (e.g., our third-party information technology provider). Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, our first priority is to contain the cybersecurity incident as quickly as possible consistent with the procedures in our incident response plan. The incident response team includes the CTO/CISO and a representative of the MS Provider. The MS Provider takes the lead on assisting us with the steps and procedures to contain the incident. If the MS Provider is unable to contain the incident, we expect to work with the CTO/CISO and cybersecurity insurer to engage an appropriate vendor for containment. Once a cybersecurity incident is contained our focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, increased network monitoring or logging to identify recurring attacks, or employee re-training, among other things. We have specific recovery time objectives and recovery point objectives in our disaster recovery plan. Our incident response plan provides clear communication protocols, which may include, depending on the incident's classification and other circumstances, our CEO, CFO and COO, our internal and external counsel, our management disclosure committee and the Audit and Risk Committee and the Board of Trustees. In addition, our COO and the CTO/CISO generally engage with external legal counsel with respect to regulatory reporting obligations related to an incident. Following the conclusion of an incident, the incident response team will generally assess the effectiveness of the cybersecurity program and make adjustments as appropriate. Cybersecurity Risks While we and our third-party vendors have experienced cybersecurity incidents, including phishing attacks, as of December 31, 2025, we have not had any known instances of material cybersecurity incidents, including third-party incidents, in the last three years. However, there can be no assurance that our security efforts and measures, and those of our third-party providers, will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See "Item 1A-Risk Factors-Cybersecurity incidents may adversely affect our business."

Company Information