Starwood Real Estate Income Trust, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on July 16, 2024

Starwood Real Estate Income Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 15:57:45 EDT.

Filings

10-K filed on 2024-03-21

Starwood Real Estate Income Trust, Inc. filed a 10-K at 2024-03-21 15:57:45 EDT
Accession Number: 0000950170-24-034645

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYB ERSECURITY Risk Management and Strategy As a company externally managed by the Advisor, we rely on Starwood Capital’s information technology (“IT”) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third-party service providers, to assist in conducting our businesses. Starwood Capital’s IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cybersecurity incidents, or a series of related cybersecurity incidents, that could adversely impact our financial condition, results of operations, cash flows or business strategy, including our ability to operate core business functions. In the last fiscal year, Starwood Capital continually monitored the risk landscape and did not experience any cybersecurity breaches, including malware and computer virus attacks that have materially affected, or are reasonably likely to materially affect our financial condition, results of operations, cash flows, or business strategy. For more information on our cybersecurity-related risks, see Part I, “Item 1A. Risk Factors” included elsewhere in this Annual Report on Form 10-K. Starwood Capital considers cybersecurity risks, along with other top risks, within its Enterprise Risk Management (“ERM”) framework. The ERM framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. Starwood Capital has implemented a cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls and activities include hardware and software inventory tracking, endpoint protection, and network security measures to safeguard our assets from unauthorized access and attacks. Starwood Capital prioritizes data protection through access management designed to permit access only by authorized personnel. Starwood Capital’s cybersecurity incident response plan, integrated into the ERM framework, outlines a structured process for handling information security incidents involving assets or data. It guides Starwood Capital’s cybersecurity incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework ensuring timely communication with business and management teams based on the incident’s severity and potential impact. Additionally, Starwood Capital maintains a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents. The cybersecurity insurance policy covers both our company and other Starwood Capital affiliates. Starwood Capital also periodically performs simulations and tabletop exercises at a management level and utilizes external resources and consultants, as needed. All employees of Starwood Capital are required to complete an annual computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users on how to identify information security threats and what actions should be taken in the event of a cybersecurity breach. Additionally, the employees of Starwood Capital are regularly tested with phishing campaigns reinforcing their awareness of email threats. Annual risk assessments of Starwood Capital’s Information Security Program are conducted to identify emerging information security and third-party risks. In addition, periodic vulnerability assessments and penetration tests are conducted throughout the year to support the identification of risks. Further, Starwood Capital utilizes on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed third-party security service providers. These third parties collect events generated by critical systems in real-time, filter non-security events, and then correlate the information using security data analytical engines so that personnel of Starwood Capital can identify and analyze threats. With respect to the software platforms that are hosted by third parties, Starwood Capital utilizes an external vendor risk management platform to evaluate, rate, monitor and track vendor risk. The security practices and processes of our third-party service providers are monitored regularly. In addition, we have engaged a third-party to evaluate and review the remediation of cyber risks of our third party service providers, including financial service providers, property managers and professional service firms. For any hosted applications, Starwood Capital inquires if the vendor issues a System and Organization Controls (“SOC”) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, Starwood Capital takes additional steps to assess its cybersecurity preparedness and assess the relationship on that basis. Starwood Capital’s assessment of risks associated with the use of third party service providers is part of Starwood Capital’s overall cybersecurity risk management framework. 60 Governance Our board of directors is ultimately responsible for the oversight of risks from cybersecurity threats and has delegated responsibility for such oversight of cybersecurity matters to the audit committee. The audit committee receives at least quarterly, or more frequently as needed, updates from the Advisor on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. Starwood Capital’s Chief Technology Officer, an industry veteran that has been focused on technology for over 40 years and in technology leadership roles at financial institutions for 20 years, leads the overall cybersecurity function and is responsible for developing and implementing Starwood Capital’s Information Security Program and managing our response to threats. In addition to its in-house cybersecurity capabilities, at times Starwood Capital also engages third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of Starwood Capital’s IT security team, including the third-party security firms utilized as part, of its program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification.


Company Information

NameStarwood Real Estate Income Trust, Inc.
CIK0001711929
SIC DescriptionReal Estate Investment Trusts
Ticker
Website
CategoryNon-accelerated filer
Fiscal Year EndDecember 30