INNOVATIVE INDUSTRIAL PROPERTIES INC - (IIPR)
10-K Filing Date: February 27, 2024
Risk Management and Strategy
Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems are necessary for the operation of our business. We use these systems, among others, to manage our tenant and vendor relationships, for internal communications, for accounting and record-keeping functions, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data.
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including confidential information that is proprietary, strategic or competitive in nature, and tenant data (“Information Systems and Data”).
We rely on a multidisciplinary team, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry’s risk profile, and conducting threat and vulnerability assessments.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, systems monitoring, employee training, and penetration testing.
To operate our business, we utilize certain third-party service providers to perform a variety of functions. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, conducting security assessments, and conducting periodic reassessments during their engagement.
We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this annual report on Form 10-K, including “The occurrence of cyber incidents or cyberattacks could disrupt our operations, result in the loss of confidential information and/or damage our business relationships and reputation,” for additional discussion about cybersecurity-related risks.
Governance
Our board of directors holds oversight responsibility over our strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. The audit committee of the board of directors oversees the management of systemic risks, including cybersecurity, in accordance with its charter. The audit committee engages in regular discussions with management regarding our significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats.
58
Our management, represented by our Chief Operating Officer, Catherine Hastings, leads our cybersecurity risk assessment and management processes and oversees their implementation and maintenance. Ms. Hastings is an experienced risk management professional, having previously served as our Chief Financial Officer and Treasurer from 2017 until March 2023, and as Vice President, internal audit of BioMed Realty Trust, Inc. (formerly NYSE: BMR) until December 2016, having joined BioMed Realty in 2009. Ms. Hastings currently oversees key functions for our development, asset management, human resources and information technology functions, including cybersecurity risk oversight and the development and enhancement of internal controls designed to prevent, detect, address, and mitigate the risk of cyber incidents. Since 2016, we have retained a third-party information technology specialist to develop and maintain our information technology infrastructure and network, who has extensive experience in the development of business processes, system infrastructure design and cybersecurity for large-scale, institutional real estate companies.
Management is responsible for helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving cybersecurity processes, reviewing cybersecurity assessments and other cybersecurity-related matters, and responding to cybersecurity incidents, including reporting to the audit committee for certain cybersecurity incidents. Our management team also evaluates the potential impact of cybersecurity incidents to determine materiality. This evaluation considers factors such as the nature and scope of the incident, and its effects on operations, assets, or reputation. The audit committee holds quarterly meetings and receives periodic reports from management, including our Chief Operating Officer and third-party information technology expert, concerning our significant cybersecurity threats and risks and the processes we have implemented to address them.