Xenia Hotels & Resorts, Inc. - (XHR)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Due to our structure as a REIT, the cybersecurity program, processes and strategy described in this section are limited to the corporate systems, information and service providers belonging to or supporting the REIT. In order to maintain REIT status, the Company does not operate or manage its hotels. Our Operating Partnership and its subsidiaries lease the hotel properties to XHR Holding, the Company’s taxable REIT subsidiary, which engages third-party independent hotel management companies to operate and manage all aspects of the hotels; and those third-party managers, in turn, rely on systems that they manage directly or indirectly (through their own service providers), including but not limited to guest reservation systems, billing, building and property management systems, point-of-sale systems, and financial transactions and records that store and process proprietary or personal information. In light of this structure, we do not have actual or contractual access to the systems or information maintained by the property operators, managers and franchisors, and we must instead rely on such operators’, managers’ and franchisors' programs and processes to protect the properties in which we invest from various risks from cybersecurity threats.
We design and assess our program generally based on the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our corporate-level cybersecurity risk management program include the following:
•risk assessments designed to help identify material cybersecurity risks to our critical corporate network systems and corporate information;
•a security function principally responsible for managing at the corporate-level (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our corporate security controls;
•a cybersecurity awareness training of our corporate employees, incident response personnel, and senior management;
•cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents that impact Xenia’s corporate systems and information; and
•a third-party risk management process for key service providers, suppliers, and vendors that support our corporate functions based on our assessment of their respective risk profiles.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our corporate operations, business strategy, results of operations, or financial condition. As noted above, given our status as a REIT, we do not have actual or contractual access to the systems or information maintained by the property operators, managers and franchisors and we must rely on such operators’, managers’ and franchisors' programs and processes to protect the properties in which we invest.
Cybersecurity Governance
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program described above.
The Audit Committee receives periodic reports from management on our cybersecurity risks. In addition, management updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents, as well as any incidents with lesser impact potential.
38
The Audit Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity. The Board of Directors also receives periodic briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from our enterprise risk management committee ("ERMC") and internal information technology security staff as part of the Board of Directors’s continuing education on topics that impact public companies.
Our management team, including the ERMC and our Vice President of Information Technology and our legal and compliance function, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s experience includes a key employee with over 20 years of experience in information technology and cybersecurity and various members of the senior management team with significant training in cyber incident response.
Our management team stays informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents that impact our corporate systems and information through various means, which may include briefings from internal and external security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the corporate IT environment.
39