NNN REIT, INC. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

NNN REIT, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 08:31:57 EST.

Filings

10-K filed on 2025-02-11

NNN REIT, INC. filed a 10-K at 2025-02-11 08:31:57 EST
Accession Number: 0000950170-25-017472

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity With oversight from the Board of Directors, NNN’s management is responsible for managing all cyber risks and overseeing NNN’s security programs. Primary cybersecurity risk oversight has been delegated to the Audit Committee. The Chief Accounting and Technology Officer (the “CATO”) oversees NNN’s security programs and its Incident Response Policy and Plan and provides direct oversight and guidance to the technology team that manages NNN’s day-to-day technology and cybersecurity operations. The CATO has been with NNN for over 25 years and has overseen NNN’s information systems, including its cyber risk management program, for the last 15 years. The technology team has the appropriate educational background and certifications in the area of information security governance and technical controls, penetration testing and vulnerability assessments, incident response and digital forensics and secure systems design and architecture. The Audit Committee cybersecurity risk oversight role includes: (i) reviewing and approving technology security policies and internal cybersecurity controls, (ii) monitoring cybersecurity and information security exposures, and (iii) confirming management has adequate procedures in place to not only control and limit these exposures but also to timely respond to any cyber incident. NNN’s cybersecurity risk profile and cybersecurity program status, including results of any third-party evaluations are reported to the Audit Committee by the CATO . NNN’s information systems process and store critical and sensitive NNN data. Management and the Board of Directors are committed to protecting NNN systems and data through layered perimeter, interrogation and access controls, as well as following a constant process of researching, assessing, patching and remediating. Processes to assess, identify, isolate, remediate and manage cybersecurity risks have been integrated into NNN’s overall risk management system. Below are examples of actions NNN takes to protect NNN’s information systems and data from cybersecurity risk : - Align systems and processes with best practices, including the National Institute of Standards and Technology Cybersecurity Framework, for securing NNN information systems and data; - Perform continuous systems monitoring and tactical measures for impending viruses, malware, tampering, exploits and other cyber threats; - Deploy systems tools to detect, prevent and neutralize cyber threats; - Engage independent third-party consultants to assist in evaluating cybersecurity risks and response profile and plans; - Identify, oversee and evaluate the risks associated with third-party service providers and consultants; - Continuously educate and provide procedural training to all associates and the Board of Directors regarding cybersecurity awareness and risks such as enterprise security, malware, data protection best practices, anti-phishing exercises and updates with respect to other implemented information security measures; - Periodically measure the effectiveness of associate training; - Cybersecurity risk management is periodically reviewed with NNN’s Enterprise Risk Management Team; - Perform ongoing internal and external penetration testing and vulnerability assessments with a high priority for timely remediation; and - Establish reporting deadlines and hierarchies so that data regarding an incident or possible incident is communicated in a timely manner to NNN’s management, to the Audit Committee of the Board of Directors, and if, appropriate or required by law, to the Commission. 23 Management is aware that preventive measures cannot prevent all cyber incidents. The CATO has direct oversight over the Company’s security programs on a daily basis. When a cyber incident occurs, NNN’s actions are guided by an incident response plan decision tree to (i) detect, contain and eradicate any threats, (ii) assess materiality, (iii) notify internal parties and the Audit Committee Chairperson, (iv) recover any compromised NNN data and information systems, (v) limit impacts of any such incident on NNN’s operations, and (vi) report any such incident as require by law or as otherwise necessary. For a detailed discussion of risks from cybersecurity threats, please see “Item 1A. Risk Factors.”

Company Information