Orion Office REIT Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Orion Office REIT Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:20:59 EST.

Filings

10-K filed on 2025-03-05

Orion Office REIT Inc. filed a 10-K at 2025-03-05 16:20:59 EST
Accession Number: 0001873923-25-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our Board of Directors is responsible for the Company’s cyber risk oversight. We have established a risk committee (the “Risk Committee”) comprised of members of senior management whose responsibilities include identifying, assessing, and managing enterprise-level and material risks to the Company, including strategic, financial, credit, market, liquidity, security, property, information technology (“IT”), cyber, legal, regulatory, and reputational risks. As described in greater detail below, the Risk Committee also assesses and makes the final determination as to whether a cybersecurity incident is material. The Risk Committee is comprised of members of our senior management, who have managed and overseen cybersecurity risk at numerous public companies. Our Vice President and Head of IT leads our operational oversight of cybersecurity and IT strategy, policy, standards and processes. He has served in this role since our inception in November 2021 and has more than 16 years of experience overseeing cybersecurity strategy, cybersecurity and technology risk management, engineering of security technology, overseeing managed security service providers and IT governance at other publicly traded companies and holds industry-standard certifications with respect to cybersecurity risk management. Company management, including members of the Risk Committee, provides regular updates to the Board of Directors regarding material matters with respect to the Company, including cyber matters. These updates include quarterly updates to the board with respect to material cyber events and a twice per annum cybersecurity program review covering topics such as cybersecurity strategy, assessment, risks, notable events and governance. We also conduct an annual enterprise risk assessment through which it identifies and assesses material risks to the Company, including both cyber and non-cyber risks. This assessment is reviewed and discussed with the Board of Directors. We have developed policies and procedures with regard to cyber incident responses which policies and procedures are based on key components of the National Institute of Standards and Technology Cybersecurity Framework, together with other best practices. Since completion of the Separation and the Distribution, we have not had any risks of cybersecurity threats or cybersecurity incidents that have materially affected or, to our knowledge, are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, if such a material cybersecurity incident is identified or were to occur, Company management would report it to the Board of Directors immediately. Our IT department is responsible for day-to-day management of potential cybersecurity risks. As part of its management of cybersecurity risks, the IT department conducts regular cybersecurity training of our employees, which includes an annual training given to all employees and internal contractors, targeted trainings for employees and internal contractors with specific roles within the Company and simulated cyber threats, including phishing exercises that spoof common and novel tactics used by threat actors. The IT department, through our head of IT , provides regular updates and reports to our executive officers and the Risk Committee regarding cybersecurity threats, risks from such threats, strategies and recommendations to mitigate risk from such threats, cybersecurity incidents that have occurred, industry updates, and policy and process recommendations. Our executive officers and the Risk Committee provide guidance and approval of such items to ensure that such risks are mitigated and in line with our overall risk management systems and processes. If our IT department identifies a cybersecurity incident, the IT department assesses such incident and its materiality. If the IT department makes a preliminary determination that a cybersecurity incident may be material, the IT department brings the incident to the attention of the Risk Committee . The Risk Committee then continues its assessment and makes the final determination whether the cybersecurity incident is material. The IT department, the Risk Committee , and any necessary third parties, including managed security service providers, forensic investigators, and internal auditors, collaborate in the response and management with respect to cyber incidents. We utilize an independent external firm that provides services to detect cybersecurity risks and makes recommendations to us regarding ways the Company can better protect itself from threats and improve internal processes based on cyber threats and risks that are impacting other companies. Additionally, as part of its processes for assessing, identifying and managing risks from cybersecurity threats, we intend to periodically conduct maturity and other external cybersecurity assessments to evaluate its cybersecurity maturity and enhance its cybersecurity capabilities. Our internal auditors also perform annual inquiries and risk assessments into cybersecurity practices and potential incidents. We have processes to oversee and identify material risks from cybersecurity threats associated with its use of third-party service providers. Such processes include evaluating service providers to ensure coverage of key cybersecurity risks have appropriate mitigations. We also monitor for threats impacting key service providers and assesses identified threats for potential impacts to services, data, and systems.

Company Information