XML 40 R26.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies and procedures, which are integrated into the Company’s overall risk management framework. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.
We partner with third parties to implement and assess the effectiveness of our cybersecurity prevention and response systems and processes. We have a Managed Service Provider (MSP) and Managed Security Services Provider (MSSP) that provide 24 x 7 x 365 Network Operations Center and Security Operations Center (SOC) and works with our information technology (IT) team to employ a variety of monitoring technologies to detect and be alerted to potential cyber threats, as well as establish and implement procedures for the mitigation and remediation of any cybersecurity incidents. We conduct an annual penetration test, regular phishing tests, and annual cybersecurity training for our employees.
Additionally, the management team of the Company has developed a cyber incident response plan to deploy in the event of a cyber threat. This plan is reviewed and updated at least annually and tested from time to time through tabletop exercises involving management and other key personnel, and may also include participation from ESRT's Board and outside experts. As part of regular business continuity planning, department heads are required to consider key technology systems used by their respective teams and the impact to the Company and other stakeholders in the event that such systems become compromised or unavailable. Additionally, we monitor and identify cybersecurity risks posed by third-party vendors who provide software and/or hardware to the Company or otherwise have access to our Company systems and have a cyber review process that is part of vendor onboarding.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Refer to the risk factor captioned “Cyberattacks and any failure to comply with related laws could negatively impact us.” in Part I, ITEM 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies and procedures, which are integrated into the Company’s overall risk management framework. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] ESRT's Board of Directors oversees our risk management process, including with respect to cybersecurity risks, directly and through its committees. The Audit Committee of ESRT's Board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports on our enterprise risk profile on a quarterly basis.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee of ESRT's Board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports on our enterprise risk profile on a quarterly basis.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Chief Technology Officer (CTO) is responsible for leading the assessment and management of cybersecurity risks, oversees teams across the Company supporting our cybersecurity policies and procedures around prevention, detection, mitigation and remediation of cybersecurity incidents, and reports at least quarterly to the Audit Committee on cybersecurity strategy and risks.
Cybersecurity Risk Role of Management [Text Block] Our Chief Technology Officer (CTO) is responsible for leading the assessment and management of cybersecurity risks, oversees teams across the Company supporting our cybersecurity policies and procedures around prevention, detection, mitigation and remediation of cybersecurity incidents, and reports at least quarterly to the Audit Committee on cybersecurity strategy and risks.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Chief Technology Officer (CTO) is responsible for leading the assessment and management of cybersecurity risks, oversees teams across the Company supporting our cybersecurity policies and procedures around prevention, detection, mitigation and remediation of cybersecurity incidents, and reports at least quarterly to the Audit Committee on cybersecurity strategy and risks.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CTO has over 25 years of experience in cybersecurity and information technology, is the Chair of the Real Estate Board of Cyber Committee, a Board Member of the Real Estate Cyber Consortium and is a Board Member of the Global Cyber Consortium.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our Chief Technology Officer (CTO) is responsible for leading the assessment and management of cybersecurity risks, oversees teams across the Company supporting our cybersecurity policies and procedures around prevention, detection, mitigation and remediation of cybersecurity incidents, and reports at least quarterly to the Audit Committee on cybersecurity strategy and risks.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true