ASHFORD HOSPITALITY TRUST INC - (AHT)
10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy. The Company’s information security program consists of various processes designed to ensure that the Company and its electronic assets are shielded from cyber events that may compromise the Company’s ability to successfully execute its business on a day-to-day basis. These processes cover areas such as, but not limited to, risk management, access control, anti-virus management, sensitive data management, electronic communication, risk/security reporting, incident response planning and business continuation planning. The information technology department (“IT Department”), which includes the cybersecurity department (“IT Security Department”), is responsible for implementing such processes and coordinating with the Human Resources Department to align training and onboarding efforts with such processes. The IT Security Department carries out risk management primarily by outsourcing risks to those companies and agencies that specialize in handling such risks and that have the appropriate resources to do so. Additionally, the IT Department assesses and improves the Company’s cybersecurity risk management processes on an annual basis by: (i) engaging its cyber insurance broker, AON, plc, to complete a benchmarking evaluation to compare the Company’s cybersecurity posture against peers and (ii) engaging cyber risk readiness and response company, Netdiligence®, to conduct vulnerability and penetration testing, which produces a report that specifies any possible risk area and devices. Such report is presented to the IT Department for analysis and for the purpose of developing subsequent action plans to remediate any vulnerabilities. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial conditions, except as otherwise noted.
Governance. Management is ultimately responsible for assessing and managing the Company’s cybersecurity risk. The information security program is overseen by the Chief Financial Officer, Vice President of IT, and the Information Security Manager. The Information Security Manager provides a weekly report to the Vice President of IT, which contains an overview of the activity in the department, any United States Computer Emergency Readiness Team alerts processed and all findings from the preventative maintenance tools. The Vice President of IT provides such report to the Chief Financial Officer on a quarterly basis. The Audit Committee of the Board is then briefed each quarter on the occurrence of any cybersecurity incidents. The Board will also be provided an overview of the information security program on an annual basis, including updates on the IT team, IT training, implementation of IT controls, cybersecurity testing, the incident response process and the cybersecurity assets of the Company.