Xenia Hotels & Resorts, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Xenia Hotels & Resorts, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:07:36 EST.

Filings

10-K filed on 2026-02-24

Xenia Hotels & Resorts, Inc. filed a 10-K at 2026-02-24 16:07:36 EST
Accession Number: 0001628280-26-011060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Due to our structure as a REIT, the cybersecurity program, processes and strategy described in this section are limited to the corporate systems, information and service providers belonging to or supporting the REIT. In order to maintain REIT status, the Company does not operate or manage its hotels. Our Operating Partnership and its subsidiaries lease the hotel properties to XHR Holding, the Company's taxable REIT subsidiary, which engages third-party independent hotel management companies to operate and manage all aspects of the hotels; and those third-party managers, in turn, rely on systems that they manage directly or indirectly (through their own service providers), including but not limited to guest reservation systems, billing, building and property management systems, point-of-sale systems, and financial transactions and records that store and process proprietary or personal information. In light of this structure, we do not have actual or contractual access to the systems or information maintained by the property operators, managers and franchisors, and we must instead rely on such operators', managers' and franchisors' programs and processes to protect the properties in which we invest from various risks from cybersecurity threats. We design and assess our program generally based on the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our corporate-level cybersecurity risk management program include the following: - risk assessments designed to help identify material cybersecurity risks to our critical corporate network systems and corporate information; - a security function principally responsible for managing at the corporate-level (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our corporate security controls; - a cybersecurity awareness training of our corporate employees, incident response personnel, and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents that impact Xenia's corporate systems and information; and - a third-party risk management process for key service providers that support our corporate functions consisting of diligence and contracting processes that are based on our assessment of their respective risk profiles and operational criticality. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our corporate operations, business strategy, results of operations, or financial condition. For information on the ongoing risks from cybersecurity threats experienced by our business, please refer to "Part I-Item 1A. Risk Factors - Technology and Information Systems Risks." As noted above, given our status as a REIT, we do not have actual or contractual access to the systems or information maintained by the property operators, managers and franchisors and we must rely on such operators', managers' and franchisors' programs and processes to protect the properties in which we invest. 38 Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program described above. The Audit Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity. The Board of Directors also receives periodic briefings from management on our cyber risk management program, including any significant incidents, as well as presentations on cybersecurity topics from our enterprise risk management committee ("ERMC") and internal information technology security staff as part of the Board of Directors' continuing education on topics that impact public companies. Our Vice President of Information Technology is primarily responsible for assessing and managing our material risks from cybersecurity threats, and helps to supervise both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Vice President of Information Technology has over 20 years of experience in information technology and cybersecurity and has received training in cyber incident response. Our Vice President of Information Technology reports regularly to our ERMC and our senior management team, which in turn, periodically brief the Audit Committee and Board of Directors on our cybersecurity risk management program, significant incidents and related matters. Our Vice President of Information Technology and management team work together closely to stay informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents that impact our corporate systems and information through various means, which may include briefings from internal and external security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the corporate IT environment. 39

Company Information