VICI PROPERTIES INC. - (VICI)

10-K Filing Date: February 22, 2024
ITEM 1C.Cybersecurity
Cybersecurity Program
Our cybersecurity and information technology (“IT”) program includes a number of safeguards, such as network segmentation, conditional analysis, external threat monitoring, access and authentication controls, incident response planning and testing of controls and procedures. We assess for internal and external vulnerabilities through the use of quarterly vulnerability scanning, annual third-party penetration testing and periodic cybersecurity maturity assessments. The results from these assessments are comprehensively addressed based on risk priority and are used to continually improve our cybersecurity risk posture.
We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and performing additional risk screenings and procedures, as appropriate. We use a number of means to assess cyber risks related to our third-party service providers, including vendor questionnaires, conducting due diligence in connection with onboarding new vendors and annual due diligence with respect to key third-party vendors. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available.
Our employees receive regular cybersecurity training to address a broad range of key and emerging issues. In addition, we provide additional periodic training modules to address emerging threats or trends within the cybersecurity environment, perform regular simulated phishing exercises and require comprehensive cybersecurity training for all new employees.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
We utilize expert cybersecurity independent consultants, including a contracted Chief Information Security Officer (“CISO”) and additional third-party managed service providers, who work with and reports to our Vice President of Accounting and Administration (“VPAA”) to identify potential risks from cybersecurity threats and proactively mitigate their potential impact. The CISO and related team have extensive experience in assessing, detecting, responding and mitigating cybersecurity risk, including holding several different relevant certifications as well as experience working with, and assessing cybersecurity risk of, IT managed service providers.
The CISO and his related team perform regular assessments and vulnerability tests and work with other third-party service providers to perform penetration testing and periodic cyber maturity assessments on our behalf through our Enterprise Risk Management (“ERM”) framework. Our CISO and related team work with our VPAA and third-party managed service provider to manage IT troubleshooting and user experience. Additionally, along with our own relationships, we benefit from the extensive third-party service provider relationships of our CISO, which may be used to assist with cybersecurity containment and remediation efforts.
36

Table of Contents
We perform specific cybersecurity risk assessments, which are informed by our ongoing vulnerability assessments, external penetration testing and cybersecurity maturity assessments, among other items. Additionally, cybersecurity and IT is also an element of the ERM assessment performed by management on an annual basis, with quarterly reassessments, under the supervision of the Audit Committee and Board of Directors.
In the event of a cybersecurity incident, we maintain a regularly tested incident response program, including response programs specifically designed for common threats. Pursuant to our escalation protocols, designated personnel, including our CISO and VPAA, along with appropriate members of our management and executive team, are responsible for assessing the severity/priority of a cybersecurity incident and associated threat, containing the threat, and remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements.
Governance
Our Audit Committee, in connection with the Board of Directors, maintains oversight of our Enterprise Risk Management framework, including oversight over our cybersecurity and information technology policies and programs.
The CISO and VPAA meet with our IT Executive Committee, comprised of all of our executive officers, on at least a quarterly basis to oversee our cybersecurity and IT framework and more frequently in the event of significant cybersecurity developments. Our management team, including our CISO, updates the Audit Committee and Board of Directors at least twice a year with respect to key developments and updates relating to our cybersecurity and IT infrastructure and the overall threat environment, including recent and emerging trends. With respect to any significant cybersecurity events or incidents, the VPAA, along with the IT Executive Committee, reports to the Board of Directors promptly in accordance with our escalation protocols, as appropriate, depending on the nature of the events.
Cybersecurity Risks
To date, we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents. For more information regarding cybersecurity risks, see “Item 1A. Risk Factors.”

© 2024 Material-Incidents. All rights reserved.