NNN REIT, INC. - (NNN)

10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity

With oversight from the Board of Directors, NNN's management is responsible for managing all cyber risks and overseeing NNN's security programs. Primary cybersecurity risk oversight has been delegated to the Audit Committee. The Senior Vice President of Information Technology ("SVP of IT") oversees NNN's security programs and its Incident Response Policy and Plan. The SVP of IT reports to the Chief Accounting and Technology Officer, and together, they have a combined industry knowledge for technology and information systems of over 40 years.

The Audit Committee cybersecurity risk oversight role includes: (i) reviewing and approving technology security policies and internal cybersecurity controls, (ii) monitoring cybersecurity and information security exposures, and (iii) confirming management has adequate procedures in place to not only control and limit these exposures but also to timely respond to any cyber incident. NNN's cybersecurity risk profile and cyber security program status, including results of any third-party evaluations are reported to the Audit Committee by the Chief Accounting and Technology Officer.

NNN's information systems process and store critical and sensitive NNN data. Management and the Board of Directors are committed to protecting NNN systems and data through layered perimeter, interrogation and access controls, as well as following a constant process of researching, assessing, patching and remediating. Processes to assess, identify, isolate, remediate and manage cybersecurity risks have been integrated into NNN's overall risk management system. Below are examples of actions NNN takes to protect NNN's information systems and data from cybersecurity risk:

Align systems and processes with best practices for securing NNN information systems and data;
Perform continuous systems monitoring and tactical measures for impending viruses, malware, tampering, exploits and other cyber threats;
Deploy systems tools to detect, prevent and neutralize cyber threats;
Engage independent third-party consultants to assist in evaluating cybersecurity risks and response profile and plans;
Identify, oversee and evaluate the risks associated with third-party service providers and consultants;
Continuously educate and provide procedural training to all associates and the Board of Directors regarding cybersecurity awareness and risks such as enterprise security, malware, data protection best practices, anti-phishing exercises and updates with respect to other implemented information security measures;
Periodically measure the effectiveness of associate training;
Cybersecurity risk management is periodically reviewed with the Enterprise Risk Management Team;
Perform ongoing internal and external penetration testing and vulnerability assessments with a high priority for timely remediation; and
Establish reporting deadlines and hierarchies so that data regarding an incident or possible incident is communicated in a timely manner to NNN's management, to the Audit Committee of the Board of Directors, and if, appropriate or required by law, to the Commission.

Management is aware that preventive measures cannot prevent all cyber incidents. The SVP of IT has direct oversight over the Company's security programs on a daily basis. When a cyber incident occurs, NNN's actions are guided by an incident response plan decision tree to (i) detect, contain and eradicate any threats, (ii) assess materiality, (iii) notify internal parties and the Audit Committee Chairperson, (iv) recover any compromised NNN data and information systems, (v) limit impacts of any such incident on NNN's operations, and (vi) report any such incident as require by law or as otherwise necessary. For a detailed discussion of risks from cybersecurity threats, please see “Item 1A. Risk Factors.”

23

 

Back SEC Filing