XML 43 R29.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We are committed to properly addressing the cybersecurity threats we face, and we have processes to assess, identify, and manage material risks from cybersecurity threats. We apply a comprehensive approach to the mitigation of cybersecurity risks. The risk of cybersecurity threats is integrated into our overall risk management program, which includes an annual risk prioritization process to identify key enterprise-level risks. The cybersecurity threat risk action plan is managed by a dedicated information technology ("IT") committee (the "IT Committee"), which oversees our cybersecurity program. The IT Committee comprises senior company leaders as well as our outsourced IT services provider. To oversee and identify cybersecurity threat risks on a day-to-day basis, we maintain a security operations center with round-the-clock monitoring. We have established
policies, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of mitigation strategies and techniques to reduce cybersecurity risks, including continuous monitoring, early detection tools, proactive vulnerability management, and remediation. Our information security policies are modeled against the National Institute of Standards and Technology’s Cybersecurity Standards and incorporate concepts from the Zero Trust Framework.
Given the ever-changing cybersecurity landscape, our IT Committee regularly meets to identify opportunities for incremental improvements, assess additional layers of security, and evaluate new technologies for implementation. In addition, we engage, as necessary, cybersecurity experts to analyze our IT policies, procedures, and infrastructure to assess their effectiveness and to identify opportunities for improvement.
We conduct an annual information security compliance training for all employees to enable them to detect and report malware, ransomware, and other malicious software and social engineering attempts that may compromise our IT systems. Employees also are subject to spear-phishing training campaigns, which allow us to assess the effectiveness of our training programs.
Our management companies are ultimately responsible for our guests' information, and we monitor these companies, as well as other third-party service providers, to ensure that they are complying with our privacy, information security and cybersecurity policies. We also assess the cybersecurity proficiency of potential third-party cloud suppliers before utilizing their services.
We work closely with our internal and external auditors to assess, identify and manage cybersecurity risks. Our IT internal controls are audited by our external auditor as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls.
Any failure to maintain proper function, security and availability of our information technology networks and systems could interrupt our operations, our financial reporting and compliance, damage our reputation, and subject us to liability claims or regulatory penalties, which could have a material and adverse effect on our business, financial condition and results of operations. Management has not identified cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See “Item 1A. Risk Factors” above for more information.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We are committed to properly addressing the cybersecurity threats we face, and we have processes to assess, identify, and manage material risks from cybersecurity threats. We apply a comprehensive approach to the mitigation of cybersecurity risks. The risk of cybersecurity threats is integrated into our overall risk management program, which includes an annual risk prioritization process to identify key enterprise-level risks. The cybersecurity threat risk action plan is managed by a dedicated information technology ("IT") committee (the "IT Committee"), which oversees our cybersecurity program. The IT Committee comprises senior company leaders as well as our outsourced IT services provider. To oversee and identify cybersecurity threat risks on a day-to-day basis, we maintain a security operations center with round-the-clock monitoring. We have established
policies, including those related to privacy, information security and cybersecurity, and we employ a broad and diversified set of mitigation strategies and techniques to reduce cybersecurity risks, including continuous monitoring, early detection tools, proactive vulnerability management, and remediation. Our information security policies are modeled against the National Institute of Standards and Technology’s Cybersecurity Standards and incorporate concepts from the Zero Trust Framework.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our board of trustees is responsible for overseeing the assessment and management of enterprise-level risks that may impact us, including cybersecurity. Two board members have information security expertise from their professional experience. Nathaniel A. Davis has expertise in information technology and experience reviewing and addressing cybersecurity risks. Patricia L. Gibson also has experience assessing and addressing cybersecurity risks through her past professional experience.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Audit Committee has primary responsibility for the oversight of risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding cybersecurity risks and mitigation strategies. We consider each member of our Audit Committee to possess information security experience by way of their oversight responsibilities over this area.
Cybersecurity Risk Role of Management [Text Block] Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding cybersecurity risks and mitigation strategies.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Our board of trustees is responsible for overseeing the assessment and management of enterprise-level risks that may impact us, including cybersecurity. Two board members have information security expertise from their professional experience. Nathaniel A. Davis has expertise in information technology and experience reviewing and addressing cybersecurity risks. Patricia L. Gibson also has experience assessing and addressing cybersecurity risks through her past professional experience.
Our Audit Committee has primary responsibility for the oversight of risks from cybersecurity threats. Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding cybersecurity risks and mitigation strategies. We consider each member of our Audit Committee to possess information security experience by way of their oversight responsibilities over this area.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Two board members have information security expertise from their professional experience. Nathaniel A. Davis has expertise in information technology and experience reviewing and addressing cybersecurity risks. Patricia L. Gibson also has experience assessing and addressing cybersecurity risks through her past professional experience.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Management, including members of the IT Committee, reports at least annually to the Audit Committee regarding cybersecurity risks and mitigation strategies.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true