GLADSTONE LAND Corp - (LAND)

10-K Filing Date: February 20, 2024
ITEM 1C.CYBERSECURITY
Risk Management and Strategy
We have implemented ongoing processes that are designed to continually identify, assess, manage, and mitigate the dynamic and evolving material risks to us from cybersecurity threats. Our cybersecurity threat risks are identified, assessed, managed, and monitored by our Adviser’s and Administrator’s resource management and compliance departments, which work in conjunction with an independent third-party information technology service provider (“ISP”) engaged by our Adviser to manage our information technology strategy. The ISP regularly performs cyber assessments and assists in maintaining our cyber and information security programs. The ISP proposes recommendations to our Adviser’s resource management and compliance departments, which are then considered by other officers and employees of our Adviser and Administrator working on our behalf before improvements are implemented to our information technology strategy, cybersecurity, and incident response policies, processes, and procedures.
In addition, regular ongoing cybersecurity threat risk assessments are performed throughout the year and reported to our officers and Board of Directors by our Chief Compliance Officer (“CCO”) no less than quarterly. Cybersecurity risks are assessed in general as a part of the overall enterprise risk management for us, but also specifically between the ISP and our Adviser and Administrator in monitoring and determining not only the risks but also assessing corresponding processes and procedures to mitigate those risks appropriately. Third-party business applications are also incorporated into these risk assessments.
As an international service provider, our ISP constantly monitors information technology risk and cybersecurity threats globally. When risks are detected, we, through our Adviser and Administrator, consult with the ISP to assess if the risk is a cybersecurity threat to our information technology systems or data. If a risk to our information systems or data is identified, we then, through our Adviser and Administrator, work in conjunction with the ISP to implement recommended processes, improvements, or safeguards to our systems or processes to address the risks as needed. Relevant examples of such efforts include but are not limited to:
implementation of industry-leading Cloud solutions and business applications which possess integrated cybersecurity safeguards,
anti-malware, antivirus, and threat detection software,
ransomware containment and isolation software,
31

enhanced password requirements and multifactor authentication requirements,
endpoint encryption,
intrusion detection and response system conduct file integrity monitoring,
email archiving, firewalls, and quarantine capabilities,
mobile device management of business applications,
frequent systems backups with recovery capabilities, and
regular vulnerability scans and penetration testing.
Contractually, we require the ISP to provide us with annually a third-party report on its systems and on the suitability of the design and operating effectiveness of its controls relevant to information and cyber security. In addition to the ongoing dialogue and technology interaction between our Adviser and Administrator and our ISP, any significant findings in these reports are shared with us, including our Board of Directors and other officers, to enhance ongoing monitoring and assessment of our information technology and cybersecurity risk management.
While our ISP works to create a hardened information technology systems environment, our Adviser and Administrator also regularly trains employees working on our behalf on the evolving threats and educates them on cybersecurity risks. Whether it is communicating information about the latest cybersecurity threats, assessing employees’ awareness through mock fraud exercises, social engineering and phishing campaigns, or providing access to a library of educational material about past and newly-evolving cybersecurity attacks, our Adviser and Administrator work in concert with the ISP on our behalf to keep employees servicing us informed so as to provide an additional protection barrier through end-user knowledge.
Notwithstanding our risk management and strategy described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1A, “Risk Factors—Risks Relating to Our Business and Operations—Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations or the operations of businesses in which we invest, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our business, financial condition, and operating results.”
Governance
Our Board of Directors is actively engaged in overseeing our cybersecurity and information security program. Our Board of Directors receives regular reports during board meetings from our CCO on our and our Adviser’s and Administrator’s efforts concerning information security and addressing information technology and cybersecurity risks no less than quarterly. The reports are distributed to our Board of Directors, and our CCO engages in detailed discussions with the independent board members during the independent members’ session. The reports cover all potentially material cybersecurity threats facing us, as well as key risks and mitigation efforts undertaken by us and our Adviser and Administrator. As significant threats or events are identified by management or the ISP between regular reporting periods, our CCO will inform our Board of Directors immediately and keep it informed as to the developments of assessing the risks, mitigating efforts, and potential disclosure. Appropriate members of management and third-party providers will be involved as deemed necessary based on the potential impact.
Management personnel most involved with assessing and managing the cybersecurity risks and program with our ISP include our Head of Resources Management, who is also a member of our Board of Directors, and our CCO. Our Head of Resources Management has more than 30 years of overall experience and more than 20 years directly assessing and managing our cyber information technology and human resources systems and the associated security concerns. Our CCO has more than 30 years of overall experience as a CPA, with more than 15 years managing information technology systems and databases, and 15-plus years supporting our Adviser’s and Administrator’s resource management department. This includes identifying, assessing, mitigating, and monitoring cyber information security risks. These managers, as well as other management personnel, attend various professional continuing education programs that include cybersecurity matters. Certain members of our Board of Directors have, or previously held, positions with other companies, including other public companies, that involved managing risks associated with their cyber and information technology systems. Our Board of Directors regularly receives updates from third parties on various business risks, which include cybersecurity matters.

© 2024 Material-Incidents. All rights reserved.