KBS Real Estate Investment Trust III, Inc. - (KBSR)
10-K Filing Date: March 18, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
As an externally managed company, our day-to-day operations are managed by our advisor and our executive officers under the oversight of our board of directors. As such, we rely on our advisor’s cybersecurity program, as discussed herein, for assessing, identifying, and managing material risks to our business from cybersecurity threats.
Our cybersecurity program, as implemented by our advisor and overseen by our board of directors, is fully integrated into our overall risk management system, and included as part of our information technology security incident response plan. The cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”). These processes include overseeing and identifying risks from cybersecurity threats associated with the use of third-party service providers.
42
Our advisor conducts annual cybersecurity training to ensure all employees are aware of cybersecurity risks and conducts monthly phishing e-mail simulations. Annually, our advisor engages a third party to conduct penetration testing to assess our cybersecurity measures and to review our information security control environment and operating effectiveness. Our advisor also uses a third-party platform to monitor our information security continually. The results of such assessments and reviews are reported to the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments. In addition, our advisor evaluates key third-party service providers before granting the service provider access to its information systems and has a process in place to ensure that future access is appropriate. For any software platforms that are hosted by third parties, our advisor requires the vendor to maintain a System and Organization Controls (“SOC”) 1 or SOC 2 report. Our advisor maintains third-party cyber insurance and upon identification of a significant cyber incident, our advisor would notify its cyber insurance carrier and engage a third-party cyber forensic analysis vendor to assist in investigating and remediating the incident.
As of the date of this Annual Report, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional information, see “Item 1A. Risk Factors – We face risks associated with security breaches through cyber-attacks, cyber intrusions or otherwise, as well as other significant disruptions of our information technology (IT) networks and related systems.”
Governance
Our board of directors is responsible for understanding the primary risks to our business, including risks from cybersecurity threats. The board of directors is responsible for reviewing our advisor’s cybersecurity policies with management and evaluating the adequacy of the program, compliance and controls with management.
Our advisor’s Information Technology Director reports at least annually to our board of directors and to our audit committee as appropriate. These presentations include developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by our peers and third parties. Our board of directors also receives prompt and timely information regarding any cybersecurity incidents that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk. These reports come from a member of our advisor’s Executive Committee, comprised of our advisor’s key executives and certain department leaders.
Our advisor has formed a Cyber Governance Committee (“CGC”), comprised of our advisor’s Chief Compliance Officer, Senior Vice President of Human Resources and Information Technology Director, to oversee cyber governance and to assess and manage, along with our advisor’s Chief Executive Officer (also our Chairman of the Board of Directors) and our advisor’s Chief Financial Officer (also our Chief Financial Officer) material risks, if any, from cybersecurity threats. The CGC meets quarterly to review incident summary reports, new threats, risks, industry and regulatory changes. Our advisor’s Chief Executive Officer and Chief Financial Officer and the CGC are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in our incident response plan and related processes. In addition, our incident response plan and related processes provide for incident escalation procedures for any cybersecurity incidents that meets pre-established reporting thresholds.
Our advisor’s Information Technology Director and Executive Committee are responsible for our incident response plan and related processes designed to assess and manage material risks, if any, from cybersecurity threats. Our advisor’s Information Technology Director also coordinates with consultants, auditors and other third parties to assess and manage material risks, if any, from cybersecurity threats.
Our advisor’s Information Technology Director has 15 years of prior management experience in digital technologies. He has nine years of experience in creating and implementing procedures for managing Payment Card Industries Security Standards (PCI), SOX Cybersecurity measures to include ransomware, email phishing, and data breaches, and bringing into effective action the five pillars of the NIST Cybersecurity Framework.
43