Lightstone Value Plus REIT IV, Inc. - (LTSV)
10-K Filing Date: March 26, 2024
Risk Management and Strategy
We have no employees. Our business is externally managed by the Advisor, an affiliate of the Sponsor. We are dependent on the Advisor and affiliates of our Sponsor (collectively, the “Advisor and its affiliates”) for performing a full range of services that are essential to us, including asset management, property management (excluding our hospitality properties, each of which are managed by an unrelated third party property manager) and acquisition, disposition and financing activities, and other general administrative responsibilities; such as tax, accounting, legal, information technology (“IT”) and investor relations services. As an externally managed REIT, our risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of the Advisor and its affiliates, which determine and implement appropriate risk management processes and strategies as it relates to cybersecurity for both us and the other entities they advise, own and/or manage, and we rely on them for assessing, identifying and managing material risks to our business from cybersecurity threats.
The Advisor and its affiliates take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout their operations that are designed to address cybersecurity threats and incidents. The Advisor and its affiliates regularly assess risks from cybersecurity threats, monitor their information systems for potential vulnerabilities, and test those systems according to their cybersecurity policies, standards, processes, and practices, which are integrated into their overall approach to enterprise risk management. To protect their information systems from cybersecurity threats, the Advisor and its affiliates use various security tools that help them identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.
The Advisor and its affiliates have a technology team, under the leadership of the Director of Information Technology, who has over 20 years of technology management experience, which defines a work plan designed to maintain strong cybersecurity maturity, sets improvement objectives of key controls and systems, including feedback from third-party assessments, and identifies and implements on-going investments to replace or upgrade systems or technologies and proactively maintain strong security. As part of this planning, management conducts regular testing of our incident response plan to increase awareness, establishes key decision-making criteria, ensures effective communication among key stakeholders, and complies with the Company’s disclosure obligations.
The Advisor and its affiliates also partner with independent third-party experts to provide a comprehensive cybersecurity solution that safeguards organizations against a broad spectrum of cyber threats. This comprehensive cybersecurity solution offers advanced threat detection, prevention, and response capabilities, including real-time monitoring, threat intelligence, behavioral analysis, endpoint detection and response, malware prevention, and automated response actions. Additionally, the comprehensive cybersecurity solution also provides access to cybersecurity experts, who provide proactive threat monitoring and incident response support to effectively detect, investigate, and remediate security incidents.
6
The Advisor and its affiliates engage vendors to enhance cybersecurity safeguards and improve incident response and update or replace systems and applications as appropriate to improve data processing and storage management and enhance security. These cybersecurity safeguards include multi-tiered backup protocols, which incorporate immutable backups, embody an innovative approach to data security, providing an additional barrier against ransomware and other cyber threats. Immutable backups ensure that data remains unmodifiable and immune to deletion for a predefined duration, thereby shielding it from unauthorized tampering or access. This technology utilizes sophisticated methods, including immutable storage repositories and ransomware-resistant backup architectures, to uphold the integrity and accessibility of vital data. Through the enforcement of stringent access controls and encryption measures, the resilience and availability of backup data is ensured, empowering an organization to swiftly and securely recover from cyber incidents.
To further protect their information systems, the Advisor and its affiliates structure and monitor relationships with various third-party service providers and periodically conduct due diligence on their cybersecurity architecture and process design.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, our business strategy, results of operations, or financial condition.
Governance
The Board of Directors oversees our risk management process, including cybersecurity risks. The Audit Committee oversees our enterprise risk assessment. The Audit Committee meetings include discussions of specific risk areas, including, among others, those relating to cybersecurity. Our management team, including our Chief Financial Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The Chief Financial Officer has primary responsibility for our overall cybersecurity risk management program.
The Director of Information Technology is responsible for leading the assessment and management of cybersecurity threats. We have implemented a governance program for our cybersecurity efforts. This includes regularly updating privacy notices, terms of use, and lease documents. The Advisor and its affiliates have developed and implemented policies to identify and mitigate cybersecurity risks and provide training to their employees at onboarding and thereafter as necessary. Such updates are communicated to all their employees, and actionable guidance is provided when new risks arise.