Farmland Partners Inc. - (FPI)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

The Company assesses cybersecurity risk and exposure on an ongoing basis and implements tools that are commensurate with the risks that the Company faces. In light of the Company’s relatively small size and personnel, it relies heavily on reputable third-party vendors to mitigate key cybersecurity risks and exposures. While the nature of the Company’s business and the data it processes inherently limit the Company’s exposure to cybersecurity risk, the Company has implemented and maintains controls, policies, procedures and safeguards to maintain and protect confidential information as well as the integrity, continuous operation, redundancy and security of all information technology systems and data used in connection with the Company’s business. The Company generally approaches cybersecurity threats through a comprehensive approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protecting the Company’s intellectual property; (iv) maintaining the confidence of our customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required.

39

Risk Management and Strategy

Consistent with overall risk management policies and practices, the Company’s cybersecurity program focuses on the following areas:

Vigilance: The Company employs tools to identify, prevent and mitigate cybersecurity threats and respond to cybersecurity incidents in accordance with our internal cybersecurity policies and controls.
Systems Safeguards: The Company and its third party vendors deploy systems safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved on an ongoing basis.
Third-Party Risk Management: The Company ensures that all third party vendors that process or have access to sensitive information have appropriate cybersecurity risk controls in place.
Training: The Company communicates regularly with employees to increase awareness around phishing and spoofing attempts and other cybersecurity schemes. Employees are encouraged to report suspicious emails or incidents to the General Counsel or the President and Chief Executive Officer.
Incident Response Policies: The Company has established and maintains incident response policies that address the Company’s response to a cybersecurity incident.
Communication, Coordination and Disclosure: The Company promotes awareness and surveillance over cybersecurity risk at all levels of the organization, including staff, senior management and the Board.

Governance

The Board oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that the Company’s management implements to address risks from cybersecurity threats. The Board receives presentations on cybersecurity issues and developments as needed. The Board also will receive prompt and timely information regarding any cybersecurity incident that meets established reporting materiality thresholds, as well as ongoing updates regarding such incident until it has been addressed. The Company evaluates the materiality of a cybersecurity incident based on the overall impact of the event, which depends on a number of factors including, but not limited to, the financial impact of the incident and the type of information involved. At least once each year, the Board discusses the Company’s approach to cybersecurity risk management with the Company’s President and Chief Executive Officer and General Counsel.

The Company’s President and Chief Executive Officer, Luca Fabbri, is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management program and incident reporting, in partnership with other business leaders across the Company. In the event there is a material cybersecurity breach or incident, Mr. Fabbri works in coordination with the Company’s General Counsel, Christine Garrison, to assess and respond, including by reporting this incident to the Board and/or applicable regulatory authorities, as necessary or required. Mr. Fabbri has a high level of exposure to cybersecurity oversight through his current and previous work in the technology sector. Mr. Fabbri has served in various roles in information technology and information security for over 30 years, including serving as a consultant with Elk Creek Ventures Inc. from 2003 to 2012, through which he provided consulting services in technology, and serving as co-founder and vice president of engineering of Co3 Systems Inc., an enterprise software company in the cybersecurity space that is now part of IBM, from 2010 to 2011. Mr. Fabbri also co-founded a software company called HomeSphere, for which he served as senior vice president and chief financial officer from 2000 to 2002, and currently serves on the board of directors of Basil Systems Inc., a healthcare software company. Mr. Fabbri, Ms. Garrison and the Company’s Chief Financial Officer each hold degrees in their respective fields, and each have over 15 years of experience with managing risks at the Company and in environments similar to the Company’s, including risks arising from cybersecurity threats.

40

Mr. Fabbri, in coordination with the Board, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. Mr. Fabbri and Ms. Garrison monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Board and applicable regulatory authorities when appropriate.

The Company has in the past experienced cyberattacks on its computer networks and, although none to date have been material, the Company expects that additional cyberattacks will occur in the future. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations, or financial condition.