RMR GROUP INC. 10-K Cybersecurity GRC - 2024-11-12

Page last updated on November 12, 2024

RMR GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-12 06:19:35 EST.

Filings

10-K filed on 2024-11-12

RMR GROUP INC. filed a 10-K at 2024-11-12 06:19:35 EST
Accession Number: 0001644378-24-000042

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We maintain a cybersecurity risk management program to identify, assess and manage material risks from cybersecurity threats, including by regularly assessing risks from cybersecurity threats and monitoring our information systems for potential vulnerabilities. Our cybersecurity program is designed to align with the National Institute of Standards and Technology Cybersecurity Framework. We take various actions designed to maintain and protect the operation and security of our information technology and systems, including the data maintained in those systems. We conduct data security education and testing for our employees, in addition to penetration testing and unannounced email phishing exercises. Additionally, we have implemented a third-party risk management process for third party service providers and vendors. Extensive security questionnaires are issued to third party providers and vendors, the responses to which are weighted and reviewed by our security and compliance team. High risk vendors are reviewed at least biennially and new vendors that interact with our data are assessed as part of our vendor procurement process. In the event of a cybersecurity incident, we have a detailed incident response plan in place for contacting authorities and informing key stakeholders. In addition, we have engaged a qualified third party who conducted an external assessment of our cybersecurity controls. To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. For additional information on cybersecurity risks and potential related impacts on us, see Part I, Item 1A. Risk Factors, “We rely on information technology and systems in our operations, and any material failure, inadequacy, interruption or security breach of that technology or those systems could materially harm our business.” Governance Our Board of Directors holds oversight responsibility over our strategy and risk management, including material risks related to cybersecurity threats. Our Audit Committee takes a leading role in oversight of risk management, including risks related to cybersecurity, and receives reports from our management regarding cybersecurity risks and countermeasures being undertaken or considered by us, including updates on the internal and external cybersecurity landscape and relevant technical developments and more frequent reports as it may direct or as warranted. Our cybersecurity program is led by our Chief Information Officer, or CIO, who has over two decades of relevant experience in information technology and cybersecurity and has primary responsibility for assessing and managing material risks from cybersecurity threats and overseeing our cybersecurity team. Our CIO has previously held senior information technology and security roles, including as CIO of a global real estate firm and of a real estate investment trust. Our Director of Information Security and our cybersecurity team are responsible for, among other things, information technology failure mitigation and business continuity, cybersecurity threat detection and incident response and continuous network monitoring. Our cybersecurity team members have a broad array of relevant skills and expertise and have obtained, or are working to obtain, relevant information security certifications, including Certified Information Systems Security Professional, Certified Information Systems Auditor and Certified Risk and Information Systems Control certifications. Our Director of Information Security assembles our incident response and investigative teams and informs our CIO if an incident occurs. Investigative findings are reported to our executive leadership and to the relevant authorities if warranted. Our CIO works closely with our senior management, including cross-functional leaders in our human resources, legal and corporate communications departments, to develop and advance our cybersecurity strategy and reports to our Audit Committee on cybersecurity matters.

Company Information