CTO Realty Growth, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

CTO Realty Growth, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:45:34 EST.

Filings

10-K filed on 2025-02-20

CTO Realty Growth, Inc. filed a 10-K at 2025-02-20 16:45:34 EST
Accession Number: 0001558370-25-001229

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURIT Y The Board recognizes the critical importance of maintaining the trust and confidence of our tenants and business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company’s overall approach to risk management and oversight. The Company’s cybersecurity processes and practices are integrated into our risk management and oversight program. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. We utilize a third-party managed IT service provider (the “MSP”) to provide comprehensive cybersecurity services for the Company, including threat detection and response, vulnerability assessment and monitoring, security incident response and recovery, and cybersecurity education and awareness. The Company has adopted a written information security incident response plan, which, as discussed below, is overseen by the Audit Committee of the Board (the “Audit Committee”). Risk Management and Strategy The Company’s cybersecurity program is focused on the following key areas: ● Governance: As discussed in more detail under “Item 1C. Cybersecurity-Governance,” the Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company’s management team. ● Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. ● Technical Safeguards: Together with the MSP, we deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. ● Incident Response and Recovery Planning: Together with the MSP, we have established a written information security incident response plan that addresses the response to a cybersecurity incident, which is tested and evaluated on a regular basis. ● Third-Party Risk Management: Together with the MSP, we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems. ● Education and Awareness: As directed by the Company, the MSP provides regular training for Company personnel regarding cybersecurity threats as a means to equip such personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. Together with the MSP, we engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The MSP regularly assesses our cybersecurity measures, including information security maturity, and regularly reviews our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and we will adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee , oversees the Company’s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company’s management team the Company’s privacy and cybersecurity risk exposures, including: ● the potential impact of those exposures on the Company’s business, financial results, operations and reputation; ● the steps management has taken to monitor and mitigate such exposures; ● the Company’s information governance policies and programs; and ● major legislative and regulatory developments that could materially impact the Company’s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. Our Senior Vice President, Chief Financial Officer and Treasurer, Senior Vice President, General Counsel and Corporate Secretary, and Senior Vice President and Chief Accounting Officer work collaboratively with the MSP to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with a written information security incident response plan that we have adopted. These members of our management team, together with the MSP, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. Our Senior Vice President, Chief Financial Officer and Treasurer, Senior Vice President, General Counsel and Corporate Secretary, and Senior Vice President and Chief Accounting Officer each hold degrees in their respective fields, and have approximately 20 years or more of experience managing risks at the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.
Item 1C. Cybersecurity-Governance," the Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the Company’s management team. ● Collaborative Approach: CTO has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, the Audit Committee, and the Board in a timely manner. ● Technical Safeguards: Together with the MSP, we deploy technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention systems, endpoint detection and response systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. ● Incident Response and Recovery Planning: Together with the MSP, we have established a written information security incident response plan that addresses the response to a cybersecurity incident, which is tested and evaluated on a regular basis. ● Third-Party Risk Management: Together with the MSP, we maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems. ● Education and Awareness: As directed by the Company, the MSP provides regular training for Company personnel regarding cybersecurity threats as a means to equip such personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. Together with the MSP, we engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The MSP regularly assesses our cybersecurity measures, including information security maturity, and regularly reviews our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and we will adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee , oversees the Company’s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee must review and discuss with the Company’s management team the Company’s privacy and cybersecurity risk exposures, including: ● the potential impact of those exposures on the Company’s business, financial results, operations and reputation; ● the steps management has taken to monitor and mitigate such exposures; ● the Company’s information governance policies and programs; and ● major legislative and regulatory developments that could materially impact the Company’s privacy and cybersecurity risk exposure. The charter of the Audit Committee also provides that the Audit Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks and that the Audit Committee will regularly report to the Board the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit Committee deems appropriate. Our Senior Vice President, Chief Financial Officer and Treasurer, Senior Vice President, General Counsel and Corporate Secretary, and Senior Vice President and Chief Accounting Officer work collaboratively with the MSP to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with a written information security incident response plan that we have adopted. These members of our management team, together with the MSP, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and will report such threats and incidents to the Audit Committee when appropriate. Our Senior Vice President, Chief Financial Officer and Treasurer, Senior Vice President, General Counsel and Corporate Secretary, and Senior Vice President and Chief Accounting Officer each hold degrees in their respective fields, and have approximately 20 years or more of experience managing risks at the Company and similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.

Company Information