Sila Realty Trust, Inc. - (CVMCA)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity.
We have developed, implemented, and integrated a cybersecurity program, or the Cybersecurity Program, to protect our information systems by using physical, technical, and administrative safeguards. This includes assessing, identifying, monitoring, reporting, managing and remediating cybersecurity threats. The Cybersecurity Program aims to prevent data ex-filtration, manipulation, and destruction, as well as system and transactional disruption. The Cybersecurity Program utilizes a threat-centric and risk-based approach to identify and assess cybersecurity threats that could affect our business and information systems based on the National Institute of Standards and Technology Cybersecurity Framework, or the NIST Framework.
Our Cybersecurity Program includes the following processes:
Quarterly control reviews, annual policy reviews and annual investments in our security infrastructure;
Periodic testing of our information systems to assess our vulnerability to cyber risk, which includes targeted penetration testing and vulnerability scanning;
Testing and audits of our IT-related internal controls over financial reporting, excluding cybersecurity controls, by our internal auditors;
Conducting a comprehensive information security and training program for our employees, including mandatory computer-based training, regular internal communications, and ongoing end-user testing to measure the effectiveness of our information security program. As part of this commitment, we require our employees to acknowledge our Information Security policy each year. In addition, we have an established schedule and process for regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees;
Annually assess the Cybersecurity Program against the NIST Framework;
Maintaining business continuity, contingency and recovery plans to quickly react to cybersecurity incidents;
Conducting security assessments of all third-party service providers with access to personal, confidential or proprietary information before engagement and maintaining ongoing monitoring by reviewing system and organization controls reports, relevant cyber attestations, and other independent cyber ratings;
Retaining a third-party cybersecurity provider for emergency incident response services in the event of a serious information security breach; and
Maintaining cybersecurity risk insurance that could help defray the costs of an information security breach as a backstop to the Cybersecurity Program.
Through our incident response plan, we have designated a cybersecurity management committee, or the Cybersecurity Management Committee, composed of our executive officers and management representatives. Led by Our Vice President of Information Technology & Corporate Facilities, our Cybersecurity Management Committee is responsible for the management of the Cybersecurity Program and for the day-to-day investigation of and response to potential information security-related incidents. Pursuant to our incident response plan, incidents meeting specified severity levels are required to be escalated to the Cybersecurity Management Committee for review and response. The goals of the incident response plan are to prevent, detect and react to information security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to relevant stakeholders, and reduce the likelihood of the incident from reoccurring.
Our Vice President of Information Technology & Corporate Facilities has served in this role since 2018, and has more than 25 years of experience in various roles involving managing information security, technology infrastructure and IT operations.
Our Board plays a role in overseeing risks associated with cybersecurity threats and has delegated to the Audit Committee primary oversight of the Cybersecurity Program. Our executive officers report on our Cybersecurity Program to both the Board and the Audit Committee at least four times per year (including as part of our discussions regarding enterprise risk management). In addition, quarterly reports to the Audit Committee include our internal auditor's reviews of our information security programs and controls. As part of the incident response plan discussed above, in the event we experience a cybersecurity incident that could materially affect us, including our business strategy, results of operations or financial condition, our executive officers (who are also a part of the Cybersecurity Management Committee) will review the incident with the Audit Committee to consider whether and to what extent disclosure is required under Item 1.05 of Form 8-K.
We face risks from cybersecurity threats that could have a material adverse effect on our business strategy, results of operations or financial conditions. See “Risk Factors – General Risk Factors - Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results” in Part I, Item 1A of this Annual Report on Form 10-K for a discussion of these risks. To date, we have not experienced a material cybersecurity incident.
19