Pebblebrook Hotel Trust - (PEB)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity.
We have identified cybersecurity risk as one of our key enterprise risks. One of our Co-Presidents is responsible for managing cybersecurity risk. They develop mitigation strategies and implement controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should it occur. At least annually, they report on this risk and their mitigation work to the Audit Committee of our Board of Trustees, which is the committee that has primary responsibility for overseeing our enterprise risk management program and is composed solely of independent trustees. The Audit Committee reviews and discusses all of our key enterprise risks, including cybersecurity risk, and the enterprise risk management program itself. The chair of the Audit Committee may, at their discretion, report to the Chairman of the Board or the full Board of Trustees regarding any aspect of the program or risks.

As of December 31, 2023, no risk from cybersecurity threats, including as a result of any previous cybersecurity incident, has materially affected our business, results of operations or financial condition. Although we have invested in the protection of our data and information systems and the monitoring of our systems on an ongoing basis, such efforts may not in the future prevent material compromises to our information systems, including those that could have a material adverse effect on our business. We maintain cybersecurity insurance coverage to mitigate our financial exposure to certain incidents, and we consult with external advisors regarding opportunities and enhancements to strengthen our policies and practices.

We have elected to outsource our information technology function to a third-party managed service provider, or the MSP, that specializes in fully managed information technology services and fully managed cybersecurity. The MSP is responsible for managing all of our hosted services, all of the computer and computer-related hardware and software we use, and all onsite and offsite backups. The MSP also provides managed security services designed to prevent cybersecurity threats, to identify and remediate vulnerabilities, to monitor systems 24/7, to protect data and systems, to detect potential intrusions and cybersecurity incidents, to quarantine systems should they be compromised, and to recover from business interruptions or other disasters. The MSP follows the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology of the U.S. Department of Commerce, to measure the maturity of the services it provides to us and its other clients.

The MSP and we developed a cybersecurity incident response plan that sets forth roles and responsibilities for the identification, assessment, triage, communication and resolution of cybersecurity incidents.

In addition, the MSP performs facility and system penetration tests, compromise assessments and security maturity assessments of our corporate and operational networks. In collaboration with the MSP, we maintain a comprehensive cybersecurity training program to help our personnel identify and assist in mitigating cybersecurity risks. Our executive officers and employees participate in annual training with additional issue-specific training as needed.

While we have control, through our contract with the MSP, over our information systems, we do not have control over the information systems of our hotel managers, which are the third-party operators of our hotels and resorts, or of our franchisors. Although we set clear expectations of our hotel managers and franchisors, we rely on our hotel managers and franchisors for managing their cybersecurity risk. We conduct surveys of our hotel managers and franchisors to assess their cybersecurity risk management programs and procedures, to identify gaps and request remediation and to understand our risk exposure. Many of our hotel managers and franchisors carry cyber insurance policies to protect and offset a portion of potential costs incurred from a security breach. Additionally, we currently have cyber insurance policies to provide supplemental coverage above the coverage carried by our hotel managers and franchisors.

For additional information about cybersecurity risk, see “Item 1A. Risk Factors—Our hotel managers and we rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business.”
31