Broadstone Net Lease, Inc. - (BNL)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

Our EVP and Chief Financial Officer is responsible for the oversight of the Company’s information technology and cybersecurity function, which consists of five employees and is led by our VP, Information Systems & Solutions. Our VP, Information Systems & Solutions has over 25 years of experience in information technology leadership, including oversight of information technology general controls and management of information technology security and cybersecurity programs. The information technology and cybersecurity team also includes our Director, Information Technology, who has held information technology leadership roles for over 15 years, including in management of infrastructure, applications, information technology security, and cybersecurity prevention and education programs. The Audit Committee of the Board of Directors oversees the evaluation of the policies and practices developed and implemented by the Company with respect to the risk assessment and risk mitigation of information technology and cybersecurity matters.

The Company has implemented a Computer Security Incident Response Plan (the “Incident Response Plan”) that sets forth the process for identifying, responding to, and recovering from cybersecurity incidents. We have a dedicated cross-functional Incident Response Team (the “IRT”) that participates in annual tabletop exercises and simulations with our external cybersecurity legal counsel to test the Incident Response Plan as part of our business continuity, incident response, risk assessment, and disaster recovery planning. The IRT is also responsible for evaluating the level of materiality of any cybersecurity incident in accordance with the Incident Response Plan and may engage the services of third-party experts to assist in the event of a cybersecurity incident.

To our knowledge, in the last three years we have not experienced a cybersecurity incident that has had, and we are not aware of any cybersecurity incident that is reasonably likely to have, a material impact on us, our business strategy, results of operations or financial condition. However, as (i) our business involves the storage and transmission of numerous classes of sensitive and confidential information and proprietary information, including tenants’ information, private information about our investors and our employees, and financial and strategic information about us and (ii) we also rely on third-party service providers that have access to such information in connection with providing necessary information technology and security and other business services to us, we face risks associated with security breaches through cyber-attacks or cyber-intrusions, malware, computer viruses, attachments to e-mails, persons inside our organization or persons with access to systems inside our organization, and other significant disruptions of our IT networks and related systems that could have a material impact on us, our business strategy, results of operations or financial condition. See “Risks Related to Our Business and Properties – Security breaches and other technology disruptions could compromise our information systems and expose us to liability, which could materially and adversely affect us” for additional information.

In an effort to mitigate the impact of cybersecurity events, we conduct mandatory information technology and cybersecurity training for all employees upon hire and at least annually thereafter, and regularly test our employees for information security awareness and adherence to our information technology and cybersecurity policies, which are reviewed at least annually. We also provide our employees with access to educational newsletters and articles regarding relevant information technology and cybersecurity matters on a regular basis. Additionally, we utilize third-party experts to review and test our information technology infrastructure, including constant monitoring for suspicious activity, routine penetration testing of our networks, and an annual security assessment of the effectiveness of our informational technology environment to identify potential vulnerabilities. For example, our VP, Information Systems & Solutions and Director, Information Technology receive periodic reporting from our managed security service provider and meet regularly to discuss reported activity and assess any recommendations. The Company also receives a quarterly cyber risk rating from an external enterprise risk management service provider and our VP, Information Systems & Solutions and Director, Information Technology meet to discuss the rating and potential enhancements to our cybersecurity program. The cyber risk rating reports are also shared with the Audit Committee on a quarterly basis. Our third-party service providers of technology services are generally required to provide us with system and organization controls (SOC) reports prior to formal engagement and annually thereafter. The reports are reviewed by our VP, Internal Audit and our VP, Information Systems & Solutions, or their designee(s), to assess and monitor compliance with cybersecurity best practices.

In conjunction with the operational day-to-day processes discussed above, material risks from cybersecurity threats are identified and assessed in connection with the Company’s enterprise risk management process. Our Enterprise Risk Management Committee (“ERMC”), which is overseen by our SVP and General Counsel and is comprised of our senior leadership team and key functional personnel, meets quarterly to discuss the Company’s enterprise risks, including cybersecurity risks. Cybersecurity risks are reviewed in detail and assigned risk ratings on an annual basis. The ERMC also discusses mitigation efforts, potential enhancements to processes and policies, and key risk indicators for the Company’s risks, including cybersecurity risks. The ERMC’s annual risk assessment is presented to the Board of Directors and the Audit Committee on an annual basis.

In addition to the Company’s annual ERMC risk assessment, our VP, Information Systems & Solutions and Director, Information Technology brief the Audit Committee on information technology and cybersecurity matters at least annually and provide interim updates to the Audit Committee on such matters on a quarterly basis.

38