XML 65 R38.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. We design and assess our program using
components of the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk. Our cybersecurity risk management program includes the following key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
implementing technologies to proactively monitor vulnerabilities and reduce risk, maintaining security policies and standards, and regularly updating our response planning and protocols;
maintaining business continuity, contingency and recovery plans, including a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
retaining a third-party cybersecurity provider for emergency incident response services;
annual assessments of our cybersecurity risk management program by a third-party security firm, as well as semi-annual vulnerability assessments and penetration testing by external service providers;
cybersecurity awareness training for employees as well as senior management, including quarterly refresher training; and
annual cybersecurity assessments of certain third-party service providers with access to our employee data.
Our cybersecurity risk management program and processes, as described in this section, do not encompass the information technology systems of our third-party managers. As a REIT, we are required to retain third-party managers to run all operational aspects of our hotels, and our hotel managers are dependent on information technology networks and systems that they procure and manage directly or through their own third-party service providers, to access, process, transmit and store proprietary and hotel customer information. We do not have access to these systems or to hotel customer information, and we rely on the security programs, processes and systems of our managers to protect hotel operations and customer information from cybersecurity threats.
As of February 21, 2025, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. While we have not been materially affected by known cybersecurity threats affecting the Company, we and our hotel managers continue to face risks from cybersecurity threats that, if realized, could materially adversely affect us in the future. For more information on the risks related to cybersecurity threats, including threats faced by our hotel managers, see Part I, Item 1A. "Risk Factors — We face the risk of material data breaches and disruptions of our managers’ or our own information technology systems, or the information technology systems of third parties on which we or our managers rely, which could materially adversely affect our business and results.”
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk. Our cybersecurity risk management program includes the following key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
implementing technologies to proactively monitor vulnerabilities and reduce risk, maintaining security policies and standards, and regularly updating our response planning and protocols;
maintaining business continuity, contingency and recovery plans, including a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
retaining a third-party cybersecurity provider for emergency incident response services;
annual assessments of our cybersecurity risk management program by a third-party security firm, as well as semi-annual vulnerability assessments and penetration testing by external service providers;
cybersecurity awareness training for employees as well as senior management, including quarterly refresher training; and
annual cybersecurity assessments of certain third-party service providers with access to our employee data.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program. The Audit Committee receives semi-annual updates on topics related to information security and cyber risks and readiness from our management team, including our senior vice president of information technology. Management updates the Audit Committee, as necessary, regarding any
significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including information security and cybersecurity risks, which are presented to the full Board at least annually as part of the Board's oversight of enterprise risk management.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management's implementation of our cybersecurity risk management program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee receives semi-annual updates on topics related to information security and cyber risks and readiness from our management team, including our senior vice president of information technology. Management updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents.
Cybersecurity Risk Role of Management [Text Block] Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk. Our cybersecurity risk management program includes the following key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
implementing technologies to proactively monitor vulnerabilities and reduce risk, maintaining security policies and standards, and regularly updating our response planning and protocols;
maintaining business continuity, contingency and recovery plans, including a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
retaining a third-party cybersecurity provider for emergency incident response services;
annual assessments of our cybersecurity risk management program by a third-party security firm, as well as semi-annual vulnerability assessments and penetration testing by external service providers;
cybersecurity awareness training for employees as well as senior management, including quarterly refresher training; and
annual cybersecurity assessments of certain third-party service providers with access to our employee data.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk. Our cybersecurity risk management program includes the following key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program is led by our senior vice president of information technology who has over 25 years of information technology experience that includes application development, information technology infrastructure, security, business continuity, and engineering. He holds a master's degree in computer science and a bachelor of engineering in electrical engineering. Our vice president of cybersecurity reports to the senior vice president of information technology and has over 25 years of operations and security experience backed by an undergraduate degree in computer management and various technology and security certifications. Our vice president of cybersecurity is responsible for the day-to-day assessment and management of cybersecurity risk. Our cybersecurity risk management program includes the following key components, which allows the management team to stay informed about and monitor the prevention, detection, mitigation and remediation of key cybersecurity risks and incidents:
implementing technologies to proactively monitor vulnerabilities and reduce risk, maintaining security policies and standards, and regularly updating our response planning and protocols;
maintaining business continuity, contingency and recovery plans, including a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
retaining a third-party cybersecurity provider for emergency incident response services;
annual assessments of our cybersecurity risk management program by a third-party security firm, as well as semi-annual vulnerability assessments and penetration testing by external service providers;
cybersecurity awareness training for employees as well as senior management, including quarterly refresher training; and
annual cybersecurity assessments of certain third-party service providers with access to our employee data.
Our cybersecurity risk management program and processes, as described in this section, do not encompass the information technology systems of our third-party managers. As a REIT, we are required to retain third-party managers to run all operational aspects of our hotels, and our hotel managers are dependent on information technology networks and systems that they procure and manage directly or through their own third-party service providers, to access, process, transmit and store proprietary and hotel customer information. We do not have access to these systems or to hotel customer information, and we rely on the security programs, processes and systems of our managers to protect hotel operations and customer information from cybersecurity threats.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true