Page last updated on July 16, 2024
GLADSTONE COMMERCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:02:35 EST.
Filings
10-K filed on 2024-02-21
GLADSTONE COMMERCIAL CORP filed a 10-K at 2024-02-21 16:02:35 EST
Accession Number: 0001234006-24-000003
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Risk Management and Strategy We have implemented ongoing processes that are designed to continually identify, assess, manage and mitigate the dynamic and evolving material risks to us from cybersecurity threats. Our cybersecurity threat risks are identified, assessed, managed, and monitored by our Adviser’s and Administrator’s resource management and compliance departments, on our behalf, and work in conjunction with an independent third-party information technology service provider (“ISP”) engaged by our Adviser to manage our information technology strategy. The ISP regularly performs cyber assessments and assists in maintaining our cyber and information security programs. The ISP proposes recommendations to our Adviser’s resource management and compliance departments, which then are considered by other officers and employees of our Adviser and Administrator, working on our behalf, before improvements are implemented to our information technology strategy, cybersecurity, and incident response policies, processes and procedures. In addition, regular ongoing cybersecurity threat risk assessments are performed throughout the year and reported to our officers and Board of Directors by our Chief Compliance Officer (“CCO”) no less than quarterly. Cybersecurity risks are assessed in general as part of the overall enterprise risk management for us, but also specifically between the ISP and our Adviser and Administrator in monitoring and determining not only the risks but also in assessing corresponding processes and procedures to mitigate those risks appropriately. Additionally, third party business applications are also incorporated in these risk assessments. As an international service provider, our ISP constantly monitors information technology risk and cybersecurity threats globally. When risks are detected, we, through our Adviser and Administrator, consults with the ISP to assess if the risk is a cybersecurity threat to our information technology systems or data. If a risk to our information systems or data is identified, we then, through our Adviser and Administrator, work in conjunction with the ISP to implement recommended processes, improvements, or safeguards to our systems or processes to address the risks as needed. Relevant examples of such efforts include but are not limited to: - implementation of industry leading Cloud solutions and business applications which possess integrated cybersecurity safeguards; - anti-malware, antivirus and threat detection software; - ransomware containment and isolation software; - enhanced password requirements and multifactor authentication requirements; - endpoint encryption; - intrusion detection and response system conduct file integrity monitoring; - email archiving, firewalls, and quarantine capabilities; - mobile device management of business applications; - frequent systems backups with recovery capabilities; and - regular vulnerability scans and penetration testing. Contractually, we require the ISP to annually provide a third-party report on its systems and on the suitability of the design and operating effectiveness of its controls relevant to information and cyber security. In addition to the ongoing dialogue and technology interaction between our Adviser and Administrator, on our behalf, and our ISP, any significant findings in these reports are shared with us, including our Board of Directors and other officers, to enhance ongoing monitoring and assessment of our information technology and cybersecurity risk management. While our ISP works to create a hardened information technology systems environment, our Adviser and Administrator also regularly trains employees working on our behalf on the evolving threats and educates them on cybersecurity risks. Whether it is communicating information about the latest cybersecurity threats, assessing employees’ awareness through mock fraud exercises, social engineering and phishing campaigns, or providing access to a library of educational material about past and newly evolving cybersecurity attacks, our Adviser and Administrator work in concert with the ISP, on our behalf, to keep employees servicing us informed so as to provide an additional protection barrier through end-user knowledge. Notwithstanding our risk management and strategy described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See " Risk Factors - Cybersecurity threats and cyber incidents may adversely affect our business by causing a disruption to our operations, or the operations of businesses in which we invest, a compromise or corruption of our confidential information and/or damage to our business relationships, all of which could negatively impact our business, financial condition and operating results. " for a discussion of risks related to cybersecurity and cyber incidents. Governance Our Board of Directors is actively engaged in overseeing our cybersecurity and information security program. Our Board of Directors receives regular reports during board meetings from our CCO on our and our Adviser’s and Administrator’s efforts concerning information security and addressing information technology and cybersecurity risks, no less than quarterly. The reports are distributed to our Board of Directors, and our CCO engages in detailed discussions with the independent board members during the independent members’ session. The reports cover all potentially material cybersecurity threats facing us, as well as key risks and mitigation efforts undertaken by us and our Adviser and Administrator. As significant threats or events are identified by management or the ISP between regular reporting periods, our CCO will inform our Board of Directors immediately and keep it informed as to the developments of assessing the risks, mitigating efforts, and potential disclosure. Appropriate members of management and third party providers will be involved as deemed necessary based on the potential impact. Our management personnel most involved with assessing and managing the cybersecurity risks and program with our ISP include our Head of Resources Management, who is also a member of our Board of Directors, and our CCO. Our Head of Resources Management has more than 30 years of overall experience and more than 20 years directly assessing and managing our cyber information technology and human resources systems, and the associated security concerns. Our CCO has more than 30 years of overall experience as a CPA, with more than 15 years managing information technology systems and databases, and 15-plus years supporting our Adviser’s and Administrator’s resource management department. This includes identifying, assessing, mitigating, and monitoring cyber information security risks. These managers, as well as other management personnel, attend various professional continuing education programs, which include cybersecurity matters. Certain members of our Board of Directors have, or previously held, positions with other companies, including other public companies, that involved managing risks associated with their cyber and information technology systems. Our Board of Directors regularly receives updates from third parties on various business risks, which include cybersecurity matters.
Company Information
Name | GLADSTONE COMMERCIAL CORP |
CIK | 0001234006 |
SIC Description | Lessors of Real Property, NEC |
Ticker | GOOD - NasdaqGOODO - NasdaqGOODN - Nasdaq |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |