DIGITAL REALTY TRUST, INC. - (DLR)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented cybersecurity risk management processes intended to protect the confidentiality, integrity, and availability of our information systems.
We utilize the United States National Institute of Standards and Technology, Cybersecurity Framework (NIST CSF) in considering the design and in assessing our processes. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
We have integrated aspects of our cybersecurity risk management processes into our overall risk management program through, for example, common methodologies, reporting channels and governance processes that apply across the overall risk management program to other risk areas.
48
Our cybersecurity risk management processes include, but are not limited to:
● | independent maturity assessments designed to help identify significant cybersecurity risks to our IT environment and systems; |
● | a cyber resilience team jointly responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; |
● | the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; |
● | cybersecurity awareness training of our employees, incident response personnel, and senior management; |
● | a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and |
● | a risk management process for service providers, suppliers, and vendors that aligns to our compliance requirements. |
We have not identified risks from known cybersecurity threats as a result of any prior cybersecurity incidents that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face complex risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors—We and our third-party providers may be vulnerable to cyberattacks and security breaches that could materially disrupt or compromise our operations, data and results.” There can be no assurance that our cybersecurity risk management processes, including our policies, controls or procedures, will be fully implemented as currently anticipated, complied with or effective in protecting our systems and information or in allowing us to recover from a cybersecurity incident.
Cybersecurity Governance
Our Board considers cybersecurity and other information technology risks as part of its risk management and compliance oversight function. The Board oversees management’s implementation of our cybersecurity risk management processes and receives reports from management on our cybersecurity risks at least twice a year. In addition, management updates the Board, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Board receives briefings from management on our cyber risk management processes, and it receives presentations on cybersecurity topics from our Chief Technology Officer, Chief Information Security Officer and Chief Information Officer, internal security staff or external experts as part of the Board’s continuing education on topics that impact public companies.
Our management team has overall responsibility for assessing and managing material risks from cybersecurity threats, and for executing on our cybersecurity risk management processes. Our Chief Technology Officer, Chief Information Officer and Chief Information Security Officer, among others, have decades of combined experience in areas such as information technology, compliance, and cybersecurity program design and management. Additionally, certain leaders and personnel within the cybersecurity operations team hold industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager. Our management team works closely with our cybersecurity operations team to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT, Operational Technology (OT), and products and services environments.
49