EPR PROPERTIES - (EPR)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Company's Board of Trustees recognizes the critical importance of maintaining the trust and confidence of the Company's customers, business partners, employees and other stakeholders. The Board, in coordination with the Audit Committee, is actively involved in the oversight of the Company's risk management program, and cybersecurity represents an important component of the Company's overall approach to enterprise risk management ("ERM"). The Company's cyber risk management program is fully integrated into the Company's broader ERM program and includes cybersecurity policies, standards, processes and practices that are based on recognized frameworks and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, company-wide cyber risk program that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
The Company's cyber risk management program is led by the Company's Vice President of Information Systems, whose team is responsible for leading company-wide cybersecurity strategy, policy, and processes while reporting directly to the Company's Chief Financial Officer. While the Board has ultimate oversight for the risk management process, the Audit Committee is responsible for overseeing the Company's policies and procedures for assessing and managing its exposure to risk, including cybersecurity risks. The Company's Vice President of Information Systems provides regular reports to the Audit Committee on any cyber risks and threats to the Company, assessments of the Company's security program and projects in progress to enhance the Company's security systems. The Company's Board of Trustees also receives periodic updates relating to the Company's cybersecurity programs and emerging cybersecurity threats as part of its general oversight duties. Pursuant to the Company's response plan, the Board and the Audit Committee will receive prompt and timely information regarding any material cybersecurity incidents.
The Company has a documented response plan to follow in the event a cybersecurity incident occurs. The plan details how to determine the scope and risk of an incident, incident response, communication of incident results and risks to all stakeholders and how to reduce the likelihood of an incident occurring or reoccurring. On an annual basis, the Company conducts a test of the cyber response plan in order to test its pre-planned actions, facilitate discussions regarding the plan’s effectiveness and identify useful strategies and tactics learned from the test. Additionally, the Company’s security program is supported by external third-party experts, including outside
33
cybersecurity professionals at a security operations center and expert legal counsel specializing in information technology and cybersecurity.
The Company's cyber risk management program includes processes for identifying and overseeing both internal cybersecurity risks and those presented by third parties, including vendors, service providers and other external users of the Company's systems, as well as the systems of third parties that could adversely impact the Company's business in the event of a cybersecurity incident affecting those third party systems.
In addition, the Company conducts frequent security awareness trainings for all employees, utilizes malware, antivirus, and spyware protections and has other protections in place for its network and users. The Company maintains robust end user and administrative user policies governing the use of Company technology. The Company also maintains cyber liability insurance coverage and performs regular vulnerability and penetration assessments.
The Company's Vice President of Information Systems has been with the Company for over 18 years and has overseen the Company's information systems, including its cyber risk management program, for the last five years. He is a member of the Global Information Assurance Certification Advisory ("GIAC") Board and has received various GIAC certifications in the areas of information security governance and technical controls focused on protecting, detecting and responding to cybersecurity issues. The Company's Chief Financial Officer has over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
As of the date of this report, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including the Company's business strategy, results of operations or financial condition.