JLL Income Property Trust, Inc. 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

JLL Income Property Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 13:13:36 EDT.

Filings

10-K filed on 2025-03-14

JLL Income Property Trust, Inc. filed a 10-K at 2025-03-14 13:13:36 EDT
Accession Number: 0001314152-25-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. To respond to the threat of security breaches and cyberattacks, we rely on a cybersecurity program developed by our Sponsor and Advisor, the implementation of which is led by our Sponsor’s and Advisor’s Global Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). The cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information and systems owned by them, or in their care. Our board of directors has oversight of cybersecurity risk, as indicated in the Company’s proxy statement disclosure. Cybersecurity is reviewed as part of our and our Sponsor’s and Advisor’s overall enterprise risk management program. These are led by our management, our Sponsor’s Director of Enterprise Risk Management and our Advisor’s Global General Counsel, respectively and assess our significant enterprise risks, provide a summary of those risks and primary mitigations, and identify control improvement projects for our significant risks. The progress of control improvement projects for our Sponsor and Advisor risks are regularly reported to our management and on our risks to our board of directors. Our Sponsor’s Director of Enterprise Risk Management regularly meets with their CISO and CIO to assess cybersecurity risks, cybersecurity program mitigants, and status of control improvement projects and our management and other employees of our Advisor regularly meet and communicate with our Sponsor’s Director of Enterprise Risk Management, CISO and CIO. Like other companies with a large technology footprint and high-profile client base, our Sponsor and Advisor are regularly subject to cyberattacks. While certain attacks have been successful, thus far none have had a material impact to our operations. In the future, it is possible such attacks could be successful and have a material impact on our operations. Our Sponsor’s and Advisor’s cybersecurity program strategy is to implement layered controls to reduce their and our cybersecurity risk by minimizing both the likelihood and potential impact of cybersecurity events. These controls are aligned with the National Institute of Standards and Technology cybersecurity framework. Our Sponsor’s CISO leads our cybersecurity program. Their CISO holds advanced qualifications and has extensive experience in cybersecurity. Their CISO leads a global team of cybersecurity professionals with relevant prior employment experience at global financial services firms, leading technology companies, cybersecurity providers, the government and the military, some of whom are dedicated to our Advisor. Their CISO reports to their CIO who is responsible for their and our technology, data and information management strategy, and brings over two decades of relevant experience to the role. Our Sponsor engages third-party consultants for assessing, identifying and managing material cybersecurity risks, including those associated with certain third-party providers. We and our Sponsor maintain a cyber incident response plan and regularly conduct simulations and tabletop exercises. We established a cyber incident management team that consists of our Sponsor’s CIO, CISO, CFO, CLO and our CEO, CFO, General Counsel and Head of Marketing that is responsible for determining if a cybersecurity incident is material to us and requires disclosure. Although our Sponsor, Advisor, or we have not experienced any material cybersecurity events to date, cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in our “Risk Related to Our General Business Operations and Our Corporate Structure” in Part I, Item 1A of this report. Our business is highly dependent on our ability to collect, use, store and manage organizational data. If any of our significant information and data management systems do not operate properly or are disabled, we could suffer a material disruption of our businesses, loss of investor or other sensitive data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events wholly or partially beyond our control, including disruptions of electrical or communications services, natural disasters, political instability, terrorist attacks, sabotage, computer viruses, deliberate attempts to disrupt our computer systems through “hacking,” “phishing,” or other forms of both deliberate or unintentional cyber-attack. As our Sponsor and Advisor outsource significant portions of their information technology functions to third-party providers, such as cloud computing, we bear the risk of them having less direct control over the security and performance of those systems. Our cybersecurity risk is affected by cyber threats that are proliferating and advancing in their ability to identify and exploit vulnerabilities, requiring continuous evaluation and improvements to our security architecture and cyber defenses. We also face increased cybersecurity risk as our Sponsor and Advisor deploy additional mobile and cloud technologies. They are continuously hardening their infrastructure built on these technologies, monitoring for threats, and evaluating their capability to respond to any incidents to minimize any impact to their systems, data, or business operations, including those that impact us. Because our Sponsor services clients across multiple industry verticals ̶̶ many of which are higher-profile cyber targets themselves ̶ including financial services, technology, government institutions, healthcare and life sciences, this also may increase the risk that they and we are subject to cyber-attack incidents. As noted above, our Sponsor, Advisor and we have experienced various types of cyber-attack incidents which thus far have been contained and not material to us. Our Sponsor and Advisor continue to implement new controls, governance, technical protections and other procedures to mitigate against the risks of a cybersecurity event. Our Sponsor also maintains a cyber risk insurance policy that provides coverage to us but the costs related to cybersecurity threats or disruptions may not be fully insured. We may incur substantial costs and suffer other negative consequences such as liability, reputational harm and significant remediation costs and experience material harm to our business and financial results if we, our Sponsor, Advisor or other vendors or suppliers we engage, fall victim to other successful cyberattacks. Our Advisor’s management and our board of directors provide significant oversight of risks, including those from cybersecurity threats, and are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents applicable to us. Our board of directors receives at least annual reports from our Sponsor’s CISO and other members of our Advisor’s management on our information security program including top cybersecurity risks, cybersecurity strategy, information system controls and related security measures and improvements, cyber incident response plan, cyber incidents and cyber defense metrics, and cyber security protocols and trainings. Our Sponsor maintains a cyber risk insurance policy, but costs related to cybersecurity threats or disruptions may not be fully insured. We acknowledge that successful cyberattacks could result in substantial costs, liability, reputational harm, and significant remediation expenses.

Company Information