Empire State Realty OP, L.P. - (ESBA)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies and procedures, which are integrated into the Company’s overall risk management framework. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.

We partner with third parties to implement and assess the effectiveness of our cybersecurity prevention and response systems and processes. We have a Managed Security Services provider (MSSP) that provides a 24 x 7 x 365 Security Operations Center (SOC) and works with our information technology (IT) team to employ a variety of monitoring technologies to detect and be alerted to potential cyber threats, as well as establish and implement procedures for the mitigation and remediation of any cybersecurity incidents. We conduct an annual penetration test, regular phishing tests, and annual cybersecurity training for our employees.

Additionally, the management team of the Company has developed a cyber incident response plan to deploy in the event of a cyber threat. This plan is reviewed and updated at least annually and tested from time to time through tabletop exercises involving management and other key personnel, and may also include participation from ESRT's Board and outside experts. As part of regular business continuity planning, department heads are required to consider key technology systems used by their respective teams and the impact to the Company and other stakeholders in the event that such systems become compromised or unavailable. Additionally, we monitor and identify cybersecurity risks posed by third-party vendors who provide software and/or hardware to the Company or otherwise have access to our Company systems and have a cyber review process that is part of vendor onboarding.

To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Refer to the risk factor captioned “Cyberattacks and any failure to comply with related laws could negatively impact us.” in Part I, ITEM 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.

Governance

ESRT's Board of Directors oversees our risk management process, including with respect to cybersecurity risks, directly and through its committees. The Audit Committee of ESRT's Board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports on our enterprise risk profile on a quarterly basis. Our Chief Technology Officer is responsible for leading the assessment and management of cybersecurity risks and reports at least quarterly or more frequently as needed to the Audit Committee on cybersecurity strategy and risks.


26