STARWOOD PROPERTY TRUST, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

STARWOOD PROPERTY TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:52:41 EST.

Filings

10-K filed on 2025-02-27

STARWOOD PROPERTY TRUST, INC. filed a 10-K at 2025-02-27 06:52:41 EST
Accession Number: 0001628280-25-008420

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C-“Cybersecurity” in this Form 10-K for a discussion of how we address these cybersecurity risks. We are subject to risks from natural disasters such as earthquakes, wildfires and severe weather, including as the result of global climate changes, which may result in damage to our properties. Natural disasters and severe weather such as earthquakes, tornadoes, hurricanes, wildfires, droughts or floods may result in significant damage to the properties securing our loans or in which we invest. In addition, our investments may be exposed to new or increased risks and liabilities associated with global climate change, such as increased frequency or intensity of adverse weather and natural disasters, as well as increased unavailability or costs of insurance, any of which could negatively impact our and our borrowers’ businesses and the value of the properties securing our loans or in which we invest. The extent of our or our borrowers’ casualty losses and loss in operating income in connection with such events is a function of the severity of the event and the total amount of exposure in the affected area. When we have geographic concentration of exposures, a single catastrophe (such as an earthquake) or destructive weather event (such as a hurricane) affecting a region may have a significant negative effect on our financial condition and results of operations. We may be materially and adversely affected by our exposure to losses arising from natural disasters or severe weather, including those associated with global climate change. In addition, global climate change concerns could result in additional legislation and regulatory requirements, including those associated with the transition to a low-carbon economy, which could increase expenses or otherwise adversely impact our business, results of operations and financial condition, or the business, results of operations and financial condition of our borrowers. The market price and trading volume of our common stock could be volatile and the market price of our common stock could decline, resulting in a substantial or complete loss of your investment. The stock markets, including the New York Stock Exchange (the “NYSE”), which is the exchange on which our common stock is listed, have experienced significant price and volume fluctuations. In the past, overall weakness in the economy and other factors have contributed to extreme volatility of the equity markets generally, including the market price of our common stock. As a result, the market price of our common stock has been and may continue to be volatile, and investors in our common stock may experience a decrease in the value of their shares, including decreases unrelated to our operating performance or prospects. Some of the factors that could negatively affect our stock price or result in fluctuations in the price or trading volume of our common stock include: - our actual or projected operating results, financial condition, cash flows and liquidity, or changes in business strategy or prospects; - actual or perceived conflicts of interest with our Manager or Starwood Capital Group and individuals, including our executives; - equity issuances by us or share resales by our stockholders, or the perception that such issuances or resales may occur; - actual or anticipated accounting problems; - publication of research reports about us or the real estate industry; - changes in market valuations of similar companies; - adverse market reaction to the level of leverage we employ; - additions to or departures of our Manager’s or Starwood Capital Group’s key personnel; - speculation in the press or investment community; - our failure to meet, or the lowering of, our earnings estimates or those of any securities analysts; - increases in market interest rates, which may lead investors to demand a higher distribution yield for our common stock and would result in increased interest expenses on our debt; - failure to maintain our REIT qualification; - uncertainty regarding our exemption from the Investment Company Act; - price and volume fluctuations in the stock market generally; and - general market and economic conditions, including the current state of the credit and capital markets. 52 Tab l e of Contents In the past, securities class action litigation has often been instituted against companies following periods of volatility in their share price. This type of litigation could result in substantial costs and divert our attention and resources. There may be future dilution of our common stock as a result of additional issuances of our securities, which could adversely impact our stock price. Our board of directors is authorized under our charter to, among other things, authorize the issuance of additional shares of our common stock or the issuance of shares of preferred stock or additional securities convertible or exchangeable into equity securities, without stockholder approval. Future issuances of our common stock or shares of preferred stock or securities convertible or exchangeable into equity securities may dilute the ownership interest of our existing stockholders. Because our decision to issue additional equity or convertible or exchangeable securities in any future offering will depend on market conditions and other factors beyond our control, we cannot predict or estimate the amount, timing or nature of our future issuances. Additionally, any convertible or exchangeable securities that we issue may have rights, preferences and privileges more favorable than those of our common stock. Also, we cannot predict the effect, if any, of future sales of our common stock, or the availability of shares for future sales, on the market price of our common stock. Sales of substantial amounts of common stock or the perception that such sales could occur may adversely affect the prevailing market price for our common stock. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. We rely on information technology (“IT”) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. Our IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cybersecurity incident that could adversely impact our ability to operate our core business functions. As a real estate finance services firm, we do not maintain a significant level of personally identifiable information data, so our exposure to data breaches is limited. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. However, we have, from time to time, experienced threats to our data and systems, including from malicious software and computer virus attacks. We anticipate we will continue to face similar threats, including attempts for unauthorized access, in the future. We also maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents, though coverage may not be available or sufficient to cover costs of certain cybersecurity incidents. Risk Management and Strategy We consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. We have implemented a robust cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls, including endpoint and network monitoring, endpoint protection, and network security measures, safeguard our assets from unauthorized access and attacks. We prioritize data protection through data classification and access management designed to permit access only by authorized personnel. Our cybersecurity incident response plan, integrated into the enterprise risk management framework, outlines a structured process for handling cybersecurity incidents involving assets or data. It guides our cybersecurity incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework for timely communication to relevant parties, that may include our management team, Board of Directors and Audit Committee, based on the incident’s severity and potential impact. Controls and related activities are designed taking into consideration recognized third party cybersecurity frameworks. We utilize on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed security services providers. These external managed security service providers collect events generated by critical systems in real-time, filter non-security events, and then correlate the information using security data analytical engines so that personnel can identify and analyze threats. Annual risk assessments of our Information Security Program are conducted to identify emerging information security and third party risks. In addition, periodic vulnerability assessments and penetration tests are conducted to support the identification of risks. We also conduct independent audits, including through the use of third-party assessors on both the design 53 Tab l e of Contents and operational effectiveness of security controls and consult with external advisors on best practices to address new challenges. An external vendor risk management platform is utilized to evaluate, rate, monitor, and track vendor risk pertaining to our critical vendors. The security practices and processes of the service providers are monitored regularly, and periodic assessments may be performed on the service providers’compliance with cybersecurity terms, based on the service providers’ risk. For any of our hosted applications we by default require the vendor to maintain a System and Organization Controls (“SOC”) 1 or SOC 2 report. If a third party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third party providers is part of our overall cybersecurity risk management framework. We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete a monthly computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users to identify information security threats and what actions should be taken. Additionally, employees are regularly tested with phishing campaigns reinforcing their awareness of email threats. Governance Oversight of cybersecurity is a joint responsibility of our Board of Directors and Audit Committee, with each receiving at least quarterly updates on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. The Board and Audit Committee also may receive updates on topics such as the results of various cybersecurity assessments, third party risk management, and evolving risks. Our Chief Information Officer leads our overall cybersecurity function and is responsible for developing and implementing our information security program and managing our response to threats. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT security team, including the third party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification.
Item 1C. Cybersecurity. We rely on information technology (“IT”) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. Our IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cybersecurity incident that could adversely impact our ability to operate our core business functions. As a real estate finance services firm, we do not maintain a significant level of personally identifiable information data, so our exposure to data breaches is limited. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. However, we have, from time to time, experienced threats to our data and systems, including from malicious software and computer virus attacks. We anticipate we will continue to face similar threats, including attempts for unauthorized access, in the future. We also maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents, though coverage may not be available or sufficient to cover costs of certain cybersecurity incidents. Risk Management and Strategy We consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. We have implemented a robust cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls, including endpoint and network monitoring, endpoint protection, and network security measures, safeguard our assets from unauthorized access and attacks. We prioritize data protection through data classification and access management designed to permit access only by authorized personnel. Our cybersecurity incident response plan, integrated into the enterprise risk management framework, outlines a structured process for handling cybersecurity incidents involving assets or data. It guides our cybersecurity incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework for timely communication to relevant parties, that may include our management team, Board of Directors and Audit Committee, based on the incident’s severity and potential impact. Controls and related activities are designed taking into consideration recognized third party cybersecurity frameworks. We utilize on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed security services providers. These external managed security service providers collect events generated by critical systems in real-time, filter non-security events, and then correlate the information using security data analytical engines so that personnel can identify and analyze threats. Annual risk assessments of our Information Security Program are conducted to identify emerging information security and third party risks. In addition, periodic vulnerability assessments and penetration tests are conducted to support the identification of risks. We also conduct independent audits, including through the use of third-party assessors on both the design 53 Tab l e of Contents and operational effectiveness of security controls and consult with external advisors on best practices to address new challenges. An external vendor risk management platform is utilized to evaluate, rate, monitor, and track vendor risk pertaining to our critical vendors. The security practices and processes of the service providers are monitored regularly, and periodic assessments may be performed on the service providers’compliance with cybersecurity terms, based on the service providers’ risk. For any of our hosted applications we by default require the vendor to maintain a System and Organization Controls (“SOC”) 1 or SOC 2 report. If a third party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third party providers is part of our overall cybersecurity risk management framework. We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete a monthly computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users to identify information security threats and what actions should be taken. Additionally, employees are regularly tested with phishing campaigns reinforcing their awareness of email threats. Governance Oversight of cybersecurity is a joint responsibility of our Board of Directors and Audit Committee, with each receiving at least quarterly updates on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. The Board and Audit Committee also may receive updates on topics such as the results of various cybersecurity assessments, third party risk management, and evolving risks. Our Chief Information Officer leads our overall cybersecurity function and is responsible for developing and implementing our information security program and managing our response to threats. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT security team, including the third party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification.

Company Information