Page last updated on February 12, 2025
W. P. Carey Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 16:27:56 EST.
Filings
10-K filed on 2025-02-12
W. P. Carey Inc. filed a 10-K at 2025-02-12 16:27:56 EST
Accession Number: 0001025378-25-000031
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity in this Report. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. We maintain an information technology and cybersecurity program. Management and Board Oversight We are committed to cybersecurity and vigilantly protecting all our resources and information from unauthorized access. Our cybersecurity approach incorporates a layered portfolio of employee training programs, multiple resources to manage and monitor the evolving threat landscape, Board oversight of cybersecurity risks and knowledgeable teams responsible for preventing and detecting cybersecurity risks. As part of the Board’s oversight of risk management, the Board reviews our cyber-risks with management and the actions we are taking to mitigate such risks. These actions include implementing industry-recognized practices for protecting systems, third-party monitoring of certain systems and cybersecurity training for employees. Board oversight of risk is also performed between meetings through the Audit Committee and communications between management and the Board. The Board receives periodic education around cybersecurity risks and best practices. W. P. Carey 2024 10-K - 20 Additionally, the Audit Committee, which consists solely of independent directors, is responsible for overseeing cybersecurity risks and related initiatives. The Audit Committee reviews our enterprise risk and cybersecurity risks. It also reviews the steps management has taken to protect against threats to our information systems and security and receives updates on cybersecurity on a quarterly basis. Our information technology team is led by our Chief Information Officer who reports to our Chief Financial Officer and has extensive experience working with information security systems. Our information technology team consists of individuals with expertise in assessing, preventing and addressing cybersecurity risk and is responsible for executing our cybersecurity program as well as communicating regularly with senior management, our cybersecurity governance committee, the Audit Committee and the Board . Our cybersecurity governance committee, comprised of our Chief Financial Officer, Chief Legal Officer, Chief Information Officer, Head of Internal Audit and senior members of our information technology team are responsible for developing and maintaining our cybersecurity policies and standards, monitoring ongoing compliance and program updates, and ensuring our information security is aligned with our business objectives and strategies. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats Our cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents and (3) containing, eradicating, recovering from and reporting cybersecurity events. Prevention and Preparation We employ a variety of measures to prevent threats related to privacy, information technology security and cybersecurity, which include password protection, frequent mandatory password change events, multi-factor authentication, internal phishing testing, vulnerability scanning and penetration testing. Our information technology and internal audit teams utilize frameworks consistent with well-recognized industry cybersecurity frameworks to identify and mitigate information security risks and oversee an active cybersecurity training program. In addition, our information technology team conducts routine security assessments as well as ongoing cybersecurity training campaigns for employees and our Board to enhance awareness and increase vigilance for the various types of cybersecurity attacks to which they may be exposed. Our internal audit team evaluates and monitors our internal controls over systems access in an effort to mitigate information security risks that may result from unauthorized access to systems and data. Third-party vendors are vetted through our service delivery program to ensure they have an established cybersecurity program. We have also engaged our managed security provider to manage a supply chain defense subscription that will help obtain visibility into cybersecurity risks across third party vendors by proactively identifying, prioritizing, and driving remediation for cyber risks posed by critical business partners. Our managed security provider’s risk operations center will escalate certain alerts regarding third-party vendors directly to the IT Department thus providing direct collaboration with third parties, saving time and improving risk reduction while safeguarding our relationships with such third parties. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, including but not limited to automated event-detection notifications or similar technologies which are monitored by our managed cybersecurity provider, notifications from employees, vendors or service providers, and notifications from third party information technology system providers. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to our incident response plan follows the procedures set forth in the plan to investigate the potential incident, such as determining the nature of the event and assessing the severity of the event. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the incident response team is responsible for containing the cybersecurity incident, consistent with the procedures in the incident response plan. W. P. Carey 2024 10-K - 21 Once a cybersecurity incident is contained, the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident. They may include returning affected systems to an operationally ready state and confirming that the affected systems are functioning normally. We have relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including outside legal counsel, vendors and external insurance brokers . In the event of a cybersecurity incident, the incident response team is responsible for following the steps outlined in our incident response plan, including notifying our senior management, as appropriate. Following the conclusion of an incident, we, with the assistance of the incident response team, will generally reassess the effectiveness of the cybersecurity program and incident response plan, identify potential adjustments as appropriate and report to our senior management and our Audit Committee on these matters. Cybersecurity Risks As of December 31, 2024, we are not aware of any instances of material cybersecurity incidents that impacted the Company in the last three years. However, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See Item 1A. Risk Factors - The occurrence of cyber incidents, or a deficiency in our cyber security, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results .
Item 1C. Cybersecurity. We maintain an information technology and cybersecurity program. Management and Board Oversight We are committed to cybersecurity and vigilantly protecting all our resources and information from unauthorized access. Our cybersecurity approach incorporates a layered portfolio of employee training programs, multiple resources to manage and monitor the evolving threat landscape, Board oversight of cybersecurity risks and knowledgeable teams responsible for preventing and detecting cybersecurity risks. As part of the Board’s oversight of risk management, the Board reviews our cyber-risks with management and the actions we are taking to mitigate such risks. These actions include implementing industry-recognized practices for protecting systems, third-party monitoring of certain systems and cybersecurity training for employees. Board oversight of risk is also performed between meetings through the Audit Committee and communications between management and the Board. The Board receives periodic education around cybersecurity risks and best practices. W. P. Carey 2024 10-K - 20 Additionally, the Audit Committee, which consists solely of independent directors, is responsible for overseeing cybersecurity risks and related initiatives. The Audit Committee reviews our enterprise risk and cybersecurity risks. It also reviews the steps management has taken to protect against threats to our information systems and security and receives updates on cybersecurity on a quarterly basis. Our information technology team is led by our Chief Information Officer who reports to our Chief Financial Officer and has extensive experience working with information security systems. Our information technology team consists of individuals with expertise in assessing, preventing and addressing cybersecurity risk and is responsible for executing our cybersecurity program as well as communicating regularly with senior management, our cybersecurity governance committee, the Audit Committee and the Board . Our cybersecurity governance committee, comprised of our Chief Financial Officer, Chief Legal Officer, Chief Information Officer, Head of Internal Audit and senior members of our information technology team are responsible for developing and maintaining our cybersecurity policies and standards, monitoring ongoing compliance and program updates, and ensuring our information security is aligned with our business objectives and strategies. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats Our cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents and (3) containing, eradicating, recovering from and reporting cybersecurity events. Prevention and Preparation We employ a variety of measures to prevent threats related to privacy, information technology security and cybersecurity, which include password protection, frequent mandatory password change events, multi-factor authentication, internal phishing testing, vulnerability scanning and penetration testing. Our information technology and internal audit teams utilize frameworks consistent with well-recognized industry cybersecurity frameworks to identify and mitigate information security risks and oversee an active cybersecurity training program. In addition, our information technology team conducts routine security assessments as well as ongoing cybersecurity training campaigns for employees and our Board to enhance awareness and increase vigilance for the various types of cybersecurity attacks to which they may be exposed. Our internal audit team evaluates and monitors our internal controls over systems access in an effort to mitigate information security risks that may result from unauthorized access to systems and data. Third-party vendors are vetted through our service delivery program to ensure they have an established cybersecurity program. We have also engaged our managed security provider to manage a supply chain defense subscription that will help obtain visibility into cybersecurity risks across third party vendors by proactively identifying, prioritizing, and driving remediation for cyber risks posed by critical business partners. Our managed security provider’s risk operations center will escalate certain alerts regarding third-party vendors directly to the IT Department thus providing direct collaboration with third parties, saving time and improving risk reduction while safeguarding our relationships with such third parties. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, including but not limited to automated event-detection notifications or similar technologies which are monitored by our managed cybersecurity provider, notifications from employees, vendors or service providers, and notifications from third party information technology system providers. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to our incident response plan follows the procedures set forth in the plan to investigate the potential incident, such as determining the nature of the event and assessing the severity of the event. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the incident response team is responsible for containing the cybersecurity incident, consistent with the procedures in the incident response plan. W. P. Carey 2024 10-K - 21 Once a cybersecurity incident is contained, the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident. They may include returning affected systems to an operationally ready state and confirming that the affected systems are functioning normally. We have relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including outside legal counsel, vendors and external insurance brokers . In the event of a cybersecurity incident, the incident response team is responsible for following the steps outlined in our incident response plan, including notifying our senior management, as appropriate. Following the conclusion of an incident, we, with the assistance of the incident response team, will generally reassess the effectiveness of the cybersecurity program and incident response plan, identify potential adjustments as appropriate and report to our senior management and our Audit Committee on these matters. Cybersecurity Risks As of December 31, 2024, we are not aware of any instances of material cybersecurity incidents that impacted the Company in the last three years. However, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See Item 1A. Risk Factors - The occurrence of cyber incidents, or a deficiency in our cyber security, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results .
Company Information
| Name | W. P. Carey Inc. |
| CIK | 0001025378 |
| SIC Description | Real Estate Investment Trusts |
| Ticker | WPC - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |