Apple Hospitality REIT, Inc. - (APLE)

10-K Filing Date: February 22, 2024
Item 1C.Cybersecurity

To effectively identify, assess and manage risks from cybersecurity threats, the Company maintains a cybersecurity and cyber risk management program which is comprised of the Company-wide cybersecurity strategy and its supporting policies, processes and architecture. This program is part of the Company’s enterprise risk management program.

Risk Management Strategy

The Director of Information Technology, who reports to the Chief Financial Officer, has extensive information technology (“IT”) and cybersecurity knowledge and skills gained from over 15 years of relevant work experience at the Company, and is responsible for leading the Company’s cybersecurity and cyber risk management program which includes certain cybersecurity processes covering the Company’s corporate systems. These processes include, among other items, the Company’s information technology and risk management departments’ use of an internal set of applications and control activities to actively monitor potential threats to its corporate IT environment and regularly conduct internal testing to identify potential vulnerabilities to the Company’s corporate information technology infrastructure and systems. These activities include, but are not limited to, continuous monitoring of network and infrastructure vulnerabilities, automated patching and software updates, redundancy and back-up systems, and incident response planning and handling. The Company’s employees are required to report cybersecurity events, including suspicious activity or emails, to the Company’s information technology department. Should a cybersecurity event occur within its corporate systems, the Company is positioned to coordinate a swift response to mitigate impacts to its information technology infrastructure and systems. The Company has in place an incident response plan which provides guidance for leadership and employees to swiftly evaluate and respond to cybersecurity incidents. The Company also carries cybersecurity insurance to further mitigate certain potential losses from a cybersecurity incident affecting its corporate IT equipment and systems.

The Company’s cybersecurity processes also include self-assessments using industry benchmarks as well as input from external industry consultants and ongoing communication with third-party business partners to identify cybersecurity incidents and threats that could potentially impact the Company. The Company has relationships with a number of third-party business partners to assist with cybersecurity incident containment and recovery efforts and assesses the processes and tools used by its third-party business partners to manage their cybersecurity risks. The Company uses a risk-based approach with respect to its use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of network connectivity or of data accessed, processed, or stored by such third-party service provider.

24


 

The Company’s corporate IT systems are not used to process business transactions with its guests and those systems currently have no connectivity to hotel and/or third-party management and brand technology platforms. The Company’s information technology and risk management departments regularly engage with its third-party management companies and brands to understand and benchmark their execution and alignment with applicable policies and industry practices for data protection and cybersecurity.

Management and Board Oversight

The Company’s Board of Directors administers cybersecurity risk oversight primarily through its Audit Committee. The Board’s Audit Committee is tasked with oversight responsibility for the Company’s enterprise risk management program, including those related to cybersecurity and cyber risks. The Audit Committee receives regular reports from the Chief Financial Officer on, among other things: the Company’s cybersecurity risks and threats; the status of projects to strengthen the Company’s information security systems; internal and third-party assessments of the Company’s cybersecurity program; and the emerging threat landscape. The Audit Committee also receives updates on any cybersecurity incidents experienced by third-party business partners that may pose significant risk to the Company. The Audit Committee provides periodic reporting to the Board of Directors on cybersecurity matters. The Company’s IT and risk management departments report directly to the Chief Financial Officer and are directed to immediately report any incidents to the Chief Financial Officer. The Chief Financial Officer also apprises the Audit Committee of cybersecurity incidents consistent with the Company’s incident response procedures for more significant incidents and in the aggregate for less significant incidents.

Cybersecurity Risks

The Company faces a number of cybersecurity risks in connection with its business, although such risks have not materially affected the Company, including its business strategy, results of operations or financial condition, to date. The Company has not experienced any material cybersecurity incidents to date. Notwithstanding the extensive approach the Company takes to address cybersecurity, it may not be successful in preventing or mitigating all cybersecurity incidents or threats. For more information about the cybersecurity risks the Company faces, see the risk factor entitled “Technology is used in operations, and any material failure, inadequacy, interruption or security failure of that technology from cyber-attacks or other events could harm the Company’s business” in Item 1A- Risk Factors.

25