ASHFORD HOSPITALITY TRUST INC 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

ASHFORD HOSPITALITY TRUST INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 16:27:37 EDT.

Filings

10-K filed on 2025-03-21

ASHFORD HOSPITALITY TRUST INC filed a 10-K at 2025-03-21 16:27:37 EDT
Accession Number: 0001232582-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy. The Company relies on Ashford Inc. and the Company’s managers to protect the electronic assets of the Company. Their programs consist of various processes designed to ensure that the Company and its electronic assets are shielded from cyber events that may compromise the Company’s ability to successfully execute its business on a day-to-day basis. These processes cover areas such as, but not limited to, risk management, access control, anti-virus management, electronic communication, risk/security reporting, incident response planning and business continuity planning. The information technology department of Remington Hospitality (“IT Department”), which includes a cybersecurity department (“IT Security Department”), is responsible for implementing processes and coordinating with the Human Resources Department to align training and onboarding efforts of Ashford Inc. and Remington Hospitality employees handling the Company’s electronic assets. Remington Hospitality’s IT Security Department carries out risk management primarily by outsourcing risks to those companies and agencies that specialize in handling such risks and that have the appropriate resources to do so. Additionally, Remington Hospitality’s IT Department assesses and improves the Company’s cybersecurity risk management processes on an annual basis by: (i) engaging consultants to complete a benchmarking evaluation to compare its cybersecurity posture against peers; and (ii) engaging a cybersecurity risk readiness and response company to conduct vulnerability and penetration testing, which produces a report that specifies any possible risk area and devices. Such report is presented to the IT Department for analysis and for the purpose of developing subsequent action plans to remediate any vulnerabilities. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial conditions, except as otherwise noted. Governance. Management , provided by Ashford Inc., is ultimately responsible for assessing and managing the Company’s cybersecurity risk. The information security program is overseen by the Chief Financial Officer of Ashford Inc. and the Chief Technology Officer for Remington Hospitality. A Cyber Incident Response Team comprised of Ashford Inc. and Remington Hospitality employees meets bi-weekly to review incidents that have occurred and/or impacted the Company’s electronic assets. The Chief Technology Officer of Remington Hospitality reviews weekly reports that contain an overview of the activity in the department, any United States Computer Emergency Readiness Team alerts processed and all findings from the preventative maintenance tools. The Chief Technology Officer provides such report to the Chief Financial Officer on a quarterly basis. The Audit Committee of the board of directors is then briefed each quarter on the occurrence of any cybersecurity incidents. The board of directors will also be provided an overview of the information security program on an annual basis, including updates on Remington Hospitality’s IT team, IT training, implementation, IT controls, cybersecurity testing, the incident response process and the cybersecurity assets of the Company. 40

Company Information