Gaming & Leisure Properties, Inc. - (GLPI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

The Company maintains a cyber risk program as a part of its enterprise risk management program that is designed to identify, assess, mitigate and manage cyber risks. The Company’s Vice President of Information Technology is responsible for managing the Company’s cyber risk program, informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervising third parties assisting in these efforts. The Company's Vice President of Information Technology has two decades of experience in the Information Technology industry, with a strong emphasis on cybersecurity whose professional experience is distinguished by a Bachelor's degree in Network Operation and
/39

Security and enriched by practical, hands on experience in the field. The Vice President's long standing career in Information Technology reflects a deep seated expertise in safeguarding digital infrastructures in today's dynamic cyber environment.

The Company has policies and procedures concerning cybersecurity matters, which include policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. All Company employees are required to complete annual cybersecurity training programs.

The Company engages third party vendors to periodically test, monitor and maintain the performance and effectiveness of the Company’s cyber risk program. In addition, in 2023 the Company participated in a comprehensive third-party cyber risk review as part of its annual insurance renewal process and consideration of cyber risk coverage.

The Audit and Compliance Committee of the Board of Directors oversees the Company’s cybersecurity risk program and the process employed to monitor and mitigate cybersecurity risks. Members of the management team provide periodic updates to the Audit and Compliance Committee on the status of the Company’s cyber risk management program. In addition, cybersecurity risks are reviewed by the Board of Directors as part of the Company’s ongoing enterprise risk management program.

As a triple net REIT with no significant consumer facing infrastructure or exposure, the Company faces a limited number of cybersecurity risks in connection with the operation of the business. Risks from cybersecurity threats have not materially affected the Company to date and are not reasonably likely to materially affect the Company, including the Company's business strategy, results of operations or financial condition. Other than widespread threats generally affecting businesses, the Company has not experienced threats to or breaches of its data or systems, including malware and computer virus attacks. For more information about the cybersecurity risks faced by the Company, see the risk factor entitled “We face risks associated with security breaches through cyber-attacks, cyber intrusions or otherwise, as well as other significant disruptions of our information technology (IT) networks and related systems” in Item 1A- Risk Factors.
/40