Lodging Fund REIT III, Inc. 10-K Cybersecurity GRC - 2024-12-17

Page last updated on December 17, 2024

Lodging Fund REIT III, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-17 16:47:35 EST.

Filings

10-K filed on 2024-12-17

Lodging Fund REIT III, Inc. filed a 10-K at 2024-12-17 16:47:35 EST
Accession Number: 0001558370-24-016328

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have developed and implemented a cybersecurity risk management policy intended to protect the confidentiality, integrity and availability of our critical systems and information. Our policy establishes the framework for managing cybersecurity risks and outlines the measures and protocols to protect our information systems. Our risk management and strategy is managed by our third-party IT Management Service Provider, Network Center, Inc. (“Network Center”) with oversight by our VP of Operations. Our policy applies to all employees, contractors, and all third-party partners who have access to our information systems. Our cybersecurity risk management policy is integrated into our overall enterprise risk management processes. Our risk management policy includes continual monitoring by Network Center, as they manage our technical defenses. Risk assessments and penetration testing are performed on a quarterly basis to identify and mitigate potential threats. Procedures have been implemented for identifying, evaluating and addressing vulnerabilities. Additionally, vulnerability assessments are performed monthly by Network Center. An additional part of our risk management strategy is having a clear process for reporting cybersecurity incidents and the development and maintenance of an incident response plan to address and mitigate the impact of cybersecurity incidents. A key component of our risk management and strategy surrounds data protection. We have implemented strict access controls for each individual employee to ensure only authorized personnel can access sensitive and confidential data. All digital communication is pre-screened for potentially malicious actions through a dedicated email security provider. For additional protection, we have implemented multi-factor authentication along with email encryption to ensure data is protected while at rest and in transit. We are also protected through a multilayered approach to security through the ESET Protection Platform, which provides formidable defense through cyber threat prevention, detection and response. In addition, we provide regular cybersecurity training to all employees on a quarterly basis and conduct ongoing awareness programs to keep employees informed about cybersecurity best practices. Employees have been trained, enabling them to detect and report on any malicious intrusions or social engineering attempts to infiltrate our systems. They are also regularly trained, tested and reported on through KnowB4 spear-phishing email campaigns to ensure our training is effective. We are fully insured for cyber risk through our insurance provider. Governance Our board of directors is responsible for overseeing our policies and practices related to corporate governance including cybersecurity risks. On an annual basis, management receives a report from Operations Management on our cybersecurity threat risk, management processes, and strategies. In addition to annual meetings, our board of directors, management and Audit Committee are notified of any cybersecurity incident, its threat level and the response. The threat level and response are evaluated and documented in a report by Operations leadership and our IT Services Provider. Based on our board of directors and Audit Committee review of the incident report, they determine if the findings require disclosure to the SEC. Our cyber security policies and procedures are reviewed and updated annually or as needed to address any emerging threats and changes in regulatory requirements. To date, there have been no confirmed cyber security breaches, unauthorized intrusions or threats detected within our mainframe operating systems, our encrypted e-mail servers, or our advanced firewall protections, and we have not identified risks from known cybersecurity threats, that have materially affected or that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors - We and our hotel managers and franchisors rely on information technology in our operations, and any material failure, inadequacy, interruption, cyber-attack or security failure of that technology could harm our business.”

Company Information