W. P. Carey Inc. - (WPC)
10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity.
We believe we maintain an information technology and cybersecurity program appropriate for a company our size, taking into account our operations and risks.
W. P. Carey 2023 10-K – 20 |
Management and Board Oversight
We are committed to cybersecurity and vigilantly protecting all our resources and information from unauthorized access. Our cybersecurity approach incorporates a layered portfolio of comprehensive employee training programs, multiple resources to manage and monitor the evolving threat landscape, effective Board oversight of cybersecurity risks and knowledgeable teams responsible for preventing and detecting cybersecurity risks.
As part of the Board’s oversight of risk management, the Board reviews our cyber-risks with management and the actions we are taking to mitigate such risks. These actions include implementing industry-recognized practices for protecting systems, third-party monitoring of certain systems and cybersecurity training for employees. Board oversight of risk is also performed as needed between meetings through the Audit Committee and communications between management and the Board. The Board receives periodic education around cybersecurity risks and best practices.
Additionally, the Audit Committee, which consists solely of independent directors, is responsible for overseeing cybersecurity risks and related initiatives. The Audit Committee reviews our enterprise risk and cybersecurity risks. It also reviews the steps management has taken to protect against threats to our information systems and security and receives updates on cybersecurity on a quarterly basis.
Our information technology team is led by our Chief Information Officer who has extensive experience working with information security systems. Our information technology team consists of individuals with expertise in assessing, preventing and addressing cybersecurity risk and is responsible for executing our cybersecurity program as well as communicating regularly with senior management, our cybersecurity governance committee, the Audit Committee and the Board. Our cybersecurity governance committee, comprised of our Chief Financial Officer, Chief Legal Officer, Chief Information Officer, Head of Internal Audit and senior members of our information technology team are responsible for developing and maintaining our cybersecurity policies and standards, monitoring ongoing compliance and program updates, and ensuring our information security is aligned with our business objectives and strategies.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents and (3) containing, eradicating, recovering from and reporting cybersecurity events.
Prevention and Preparation
We employ a variety of measures to prevent threats related to privacy, information technology security and cybersecurity, which include password protection, frequent mandatory password change events, multi-factor authentication, internal phishing testing, vulnerability scanning and penetration testing.
Our information technology and internal audit teams utilize frameworks based on industry standards to identify and mitigate information security risks and oversee an active cybersecurity training program. For example, in January 2023, our information technology team held a tabletop exercise with senior management to consider different cybersecurity scenarios. Our information technology team also recently worked with various third-party consultants to update our incident response plan.
In addition, our information technology team conducts routine security assessments as well as ongoing cybersecurity training campaigns for employees to enhance awareness and increase vigilance for the various types of cybersecurity attacks to which they may be exposed. Our internal audit team evaluates and monitors our internal controls over systems access in an effort to mitigate information security risks that may result from unauthorized access to systems and data.
Third-party vendors are vetted through our service delivery program to ensure they have an established cybersecurity program. We have also engaged our managed security provider to manage a supply chain defense subscription that will help obtain clear visibility into cybersecurity risks across third party vendors by proactively identifying, prioritizing, and driving remediation for cyber risks posed by critical business partners. Our managed security provider’s risk operations center will escalate certain alerts regarding third-party vendors directly to the appropriate business partners thus providing direct collaboration with third parties, saving time and improving risk reduction while safeguarding our relationships with such third parties.
W. P. Carey 2023 10-K – 21 |
Detection and Analysis
Cybersecurity incidents may be detected through a variety of means, including but not limited to automated event-detection notifications or similar technologies which are monitored by our managed cybersecurity provider, notifications from employees, vendors or service providers, and notifications from third party information technology system providers. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to our incident response plan follows the procedures set forth in the plan to investigate the potential incident, such as determining the nature of the event (e.g., ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data.
Containment, Eradication, Recovery, and Reporting
In the event of a cybersecurity incident, the incident response team is initially focused on containing the cybersecurity incident as quickly and efficiently as possible, consistent with the procedures in the incident response plan. Containment procedures may include shutting down systems; disconnecting systems from a network, disabling specific ports, protocols, services, functions, etc., disabling access to compromised systems; examining code in a controlled environment and making forensic backups of affected systems for possible legal action for third party forensic analysis.
Once a cybersecurity incident is contained, the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident. They may include returning affected systems to an operationally ready state, confirming that the affected systems are functioning normally and implementing, as necessary, additional monitoring to look for future related activity.
We have relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including outside legal counsel, vendors and external insurance brokers.
In the event of a cybersecurity incident, we intend to follow the steps outlined in our incident response plan, including notifying our senior management, as appropriate.
Following the conclusion of an incident, we, with the assistance of the incident response team, will generally reassess the effectiveness of the cybersecurity program and incident response plan, make adjustments as appropriate and report to our senior management and our Audit Committee on these matters.
Cybersecurity Risks
As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachments to emails, phishing attempts, extortion or other scams. For a discussion of these risks, see Item 1A. Risk Factors — The occurrence of cyber incidents, or a deficiency in our cyber security, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results.