LXP Industrial Trust - (LXP)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
We believe we maintain an information technology and cybersecurity program appropriate for a company our size taking into account our operations.
Management and Board Oversight
Our enterprise risk management framework was developed in conjunction with a third-party that objectively assessed key stakeholder responses to questionnaires on our operations and business functions, including information technology and cybersecurity. Our internal controls over financial reporting include key controls covering certain information technology and cybersecurity processes that are documented and tested annually.
The Audit and Cyber Risk Committee of our Board of Trustees assists our Board of Trustees on oversight of management in connection with regularly assessing our key risks and engaging in enterprise-wide risk management as they relate to cybersecurity and our technology and information systems, including with respect to strategies, objectives, capabilities, initiatives, policies and investments. A member of our Board of Trustees and the Audit and Cyber Risk Committee of our Board of Trustees is a recognized cybersecurity expert as a member of the Tech & Cybersecurity Advisory Committee for U.S. Senator Mark Warner and having been an investor in and director of private and public technology-focused companies.
We employ a Director of Information Technology who works exclusively on information technology and cybersecurity matters and has over 28 years of related experience. We employ a Director of ESG and Corporate Operations who spends part of her business time on information technology matters, specifically business applications, and has 11 years of related experience. Both employees report to our Chief Operating Officer.
Due to our size and the size of our employee base, we use third-party vendors to assist us with our network and information technology requirements. Since 2019, BDO USA, LLC (“BDO”) has acted as our outsourced chief technology officer/chief information security officer (“CTO/CISO”) and provided us with the following services through a dedicated partner in BDO Digital’s Security & Compliance:
•Overseeing chief security role and informing leadership of cybersecurity risks and the role of staff in protecting information, including, but not limited to:
◦Monitoring emerging risks, suggesting and overseeing implementation of mitigations;
◦Championing security awareness and training programs; and
◦Reporting significant security events to leadership.
•Guidance regarding incidence response, business continuity and disaster recovery program, strategy and testing.
•Oversight and guidance on vendor risk management processes and individual vendor profiles.
•IT strategy advice.
•Monitoring the relationship with our information technology managed services provider.
•Technical, policy and procedure recommendations.
Together with our Director of Information Technology, BDO reports frequently to our Chief Operating Officer and General Counsel and to the Audit and Cyber Risk Committee of our Board of Trustees on a quarterly basis.
We outsource our information technology managed services to a third-party provider of customized private cloud solutions featuring virtual desktops and servers. Our Director of Information Technology, together with BDO, oversees the third-party managed service provider (“MS Provider”).
We maintain a critical systems vendor management program with the assistance of a third-party provider of vendor risk intelligence data, including cybersecurity vulnerabilities, business health and credit risk.
25
In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, we utilize a regularly updated incident response plan. Our incident response plan was developed to guide the internal response to incidents taking into account a recognized third party cybersecurity framework. Pursuant to our incident response plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the incident response team is made up of two teams: the information security response team and the business response team. The information security response team is generally led by our Chief Operating Officer and includes our CTO/CISO, our Director of Information Technology, our MS Provider account manager, our Chief Financial Officer and other members of our senior leadership. The business response team includes primary and secondary contacts for each impacted business area. These individuals assist with any necessary customer notification procedures. The incident response team regularly reports to senior management, including the CEO, in the event of a significant incident, and our Chief Operating Officer and Chief Financial Officer provide reports to our Audit and Cyber Risk Committee and our Board of Trustees.
The Audit and Cyber Risk Committee oversees, on behalf of the Board of Trustees, our information technology and cybersecurity strategy and initiatives. Our Board of Trustees has determined that one of the members of our Audit and Cyber Risk Committee is an information technology/cybersecurity expert and has significant experience in, among other areas, emerging technologies and coordinating national security and technology policy. On at least a quarterly basis, our Chief Operating Officer, CTO/CISO and Director of Information Technology report to our Audit and Cyber Risk Committee on information technology matters, including cybersecurity. Our Audit and Cyber Risk Committee then updates the Board of Trustees following management’s update. On a periodic basis, our Audit and Cyber Risk Committee commissions an external assessment of our cybersecurity practices and receives a report from the third-party firm performing our internal audit function. The most recent assessment was completed in 2023.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from, and reporting cybersecurity events.
Prevention and Preparation
As noted above, we utilize our MS Provider for cloud-based information technology services. This third-party solution includes 24/7 monitoring and is built to the NISI/ISO framework. We also engage a nationally recognized public accounting firm to perform periodic cybersecurity assessments, which entail performing a qualitative current state evaluation of our cybersecurity program in line with specific domains within the recognized third party framework. In addition, we take the following preventative measures:
•We engage a third party to perform internal and external penetration tests on an annual basis.
•We require multi-factor authentication for our network and primary applications.
•We utilize geolocation-based blocking.
We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is annual employee training on cybersecurity around phishing, malware and other cyber risks. We use a third-party provider of security awareness training and simulated phishing for our email phishing reporting and cyber security training. Our employees are required to complete quarterly cybersecurity training programs.
We maintain comprehensive business continuity and disaster recovery plans, which update on at least an annual basis and we test through tabletop exercises on an annual basis. We do not maintain any on-premises data or servers.
We are exposed to risks from interactions with vendors and other third parties. To mitigate this risk, we perform due diligence on our vendors and third-party service providers. We believe we work with reputable vendors and require SOC reports from critical vendors and IT service providers.
26
We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions.
Detection and Analysis
Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications, employee notifications, and notification from external parties (e.g., our third-party information technology provider). Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g. ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data.
Containment, Eradication, Recovery, and Reporting
In the event of a cybersecurity incident, our first priority is to contain the cybersecurity incident as quickly as possible consistent with the procedures in our incident response plan. A representative of our third-party information technology provider is a member of the incident response team. Our third-party information technology provider takes the lead on assisting us with the steps and procedures to contain the incident. If our third-party information technology provider is unable to contain the incident, we expect to work with our CTO/CISO and cybersecurity insurer to engage the appropriate vendor for containment.
Once a cybersecurity incident is contained our focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, increased network monitoring or logging to identify recurring attacks, or employee re-training, among other things. We have specific recovery time objectives and recovery point objectives in our disaster recovery plan.
Our incident response plan provides clear communication protocols, including with respect to members of senior management, including the CEO, CFO and COO, internal and external counsel, our management disclosure committee and the Audit and Cyber Risk Committee and the Board of Trustees. With respect to our SEC reporting obligations related to a cybersecurity incident, as set forth in the incident response plan, the leaders of the incident response plan regularly brief the management disclosure committee on developments related to an incident. In addition, the COO and CTO/CISO engage with external legal counsel with respect to other regulatory reporting obligations related to an incident.
Following the conclusion of an incident the incident response team will generally assess the effectiveness of the cybersecurity program and make adjustments as appropriate.
Cybersecurity Risks
As of December 31, 2023, we are not aware of any material cybersecurity incidents in the last three years. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams that we are able to prevent or sufficiently mitigate harm from. Although we make efforts to maintain the security and integrity of the third party networks and systems we use, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them, are subject to the risk of a security incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third party providers, will be effective. See “Item 1A–Risk Factors–Cybersecurity incidents may adversely affect our business.”
27