RLJ Lodging Trust 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

RLJ Lodging Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:49:02 EST.

Filings

10-K filed on 2026-02-27

RLJ Lodging Trust filed a 10-K at 2026-02-27 16:49:02 EST
Accession Number: 0001511337-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are committed to properly addressing the cybersecurity threats we face, and we have processes to assess, identify, and manage risks from cybersecurity threats. We apply a robust approach to the identification, mitigation and management of cybersecurity risks. The risk of cybersecurity threats is integrated into our overall risk management program, which includes an annual risk prioritization process to identify key enterprise-level risks. The cybersecurity threat risk action plan is managed by a dedicated information technology ("IT") committee (the "IT Committee"), which oversees our cybersecurity program. The IT Committee comprises senior company leaders as well as our outsourced IT services provider. To oversee and identify cybersecurity threat risks on a day-to-day basis, we maintain a security operations center with round-the-clock monitoring. We have established policies, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of mitigation strategies and techniques to reduce cybersecurity risks, including continuous monitoring, early detection tools, and proactive vulnerability management. Our information security policies are informed by the National Institute of Standards and Technology's Cybersecurity Standards. Given the ever-changing cybersecurity landscape, our IT Committee regularly meets to identify opportunities for incremental improvements, assess additional layers of security, and evaluate new technologies for implementation. In addition, we engage, as necessary, cybersecurity experts to analyze our IT policies, procedures, and infrastructure to assess their effectiveness and to identify opportunities for improvement. We conduct an annual information security compliance training for employees to better enable them to detect and report malware, ransomware, and other malicious software and social engineering attempts that may compromise our IT systems. Employees also are subject to spear-phishing training campaigns, which helps us to assess the effectiveness of our training programs. Our management companies are ultimately responsible for our guests' information, and we monitor these companies, as well as other third-party service providers , to ensure that they are complying with our privacy, information security and cybersecurity policies. We also assess the cybersecurity proficiency of potential third-party cloud suppliers before utilizing their services. We work closely with our internal and external auditors to assess, identify and manage cybersecurity risks. Our internal controls over financial reporting, which include certain of our IT internal controls, are audited by our external auditor as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls. Although we have experienced phishing and similar attempts for unauthorized access to our information technology systems and data, during the past three years, m anagement has not identified cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect and defend against cybersecurity threats and incidents. See "Item 1A. Risk Factors" above for more information. Governance Our board of trustees is responsible for overseeing the assessment and management of enterprise-level risks that may impact us, including cybersecurity. Two board members have information security expertise from their professional experience. Nathaniel A. Davis has expertise in information technology and experience reviewing and addressing cybersecurity risks. Patricia L. Gibson also has experience assessing and addressing cybersecurity risks through her past professional experience. Our Audit Committee has primary responsibility for the oversight of risks from cybersecurity threats. Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding the Company's enterprise risk management, cybersecurity risks and mitigation strategies and will report cybersecurity incidents to the Audit Committee as they occur, if material. The Audit Committee will inform the full board of trustees regarding significant cybersecurity incidents, as appropriate. In addition to implementing and monitoring safeguards to minimize the chance and potential impact of a cybersecurity incident, we have established a cybersecurity incident response plan that is designed to effectively address cybersecurity threats that may occur despite these safeguards and help ensure timely and consistent responses to actual or attempted cybersecurity incidents impacting our company. The cybersecurity incident response plan includes an escalation framework, including processes for informing the board of trustees of material cybersecurity incidents.

Company Information