American Strategic Investment Co. - (NYC)
10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity.
We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process. On a regular basis we implement into our operations these cybersecurity processes, technologies, and controls to assess, identify, and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats.
To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities:
•Monitor emerging data protection laws and implement changes to our processes to comply;
•Conduct periodic data handling and use requirement training for our employees;
•Conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; and
•Conduct regular phishing email simulations for all employees
Our incident response plan coordinates the activities that we and our third-party cybersecurity providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations.
As part of the above processes, we engage with third party providers to review our cybersecurity program and help identify areas for continued focus, improvement, and compliance.
Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our tenant and employee data or our systems. Third-party risks are included within our cybersecurity risk management processes discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.
Our Audit Committee of the Board of Directors is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Members of the Board regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
As of the date of this Annual Report on Form 10-K, we have not encountered risks from cybersecurity threats that have materially affected us, or are reasonably likely to materially affect, our business strategy, results of operations or financial position.
27