|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have identified cybersecurity risk as one of our key enterprise risks. One of our Co-Presidents is responsible for managing cybersecurity risk. He develops mitigation strategies and implements controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should it occur. At least annually, he reports on this risk and related mitigation work to the Audit Committee of our board of trustees, which is the committee that has primary responsibility for overseeing our enterprise risk management program and is composed solely of independent trustees. The Audit Committee reviews and discusses all of our key enterprise risks, including cybersecurity risk, and the enterprise risk management program itself. The chair of the Audit Committee may, at his discretion, report to the Chairman of the Board or the full board of trustees regarding any aspect of the program or risks.
As of December 31, 2024, no risk from cybersecurity threats, including as a result of any previous cybersecurity incident, has materially affected our business, results of operations or financial condition. Although we have invested in the protection of our data and information systems and the monitoring of our systems on an ongoing basis, such efforts may not in the future prevent material compromises to our information systems, including those that could have a material adverse effect on our business. We maintain cybersecurity insurance coverage to mitigate our financial exposure to certain incidents, and we consult with external advisors regarding opportunities and enhancements to strengthen our policies and practices.
We have elected to outsource our information technology function to a third-party managed service provider, ("MSP") that specializes in fully managed information technology services and fully managed cybersecurity. The MSP is responsible for managing all of our hosted services, all of the computer and computer-related hardware and software we use, and all onsite and offsite backups. The MSP also provides managed security services designed to prevent cybersecurity threats, to identify and remediate vulnerabilities, to monitor systems 24/7, to protect data and systems, to detect potential intrusions and cybersecurity incidents, to quarantine systems should they be compromised, and to recover from business interruptions or other disasters. The MSP follows the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology of the U.S. Department of Commerce, to measure the maturity of the services it provides to us and its other clients.
The MSP and we developed a cybersecurity incident response plan that sets forth roles and responsibilities for the identification, assessment, triage, communication and resolution of cybersecurity incidents.
In addition, the MSP performs facility and system penetration tests, compromise assessments and security maturity assessments of our corporate and operational networks. In collaboration with the MSP, we maintain a comprehensive cybersecurity training program to help our personnel identify and assist in mitigating cybersecurity risks. Our executive officers and employees participate in annual training with additional issue-specific training as needed.
While we have control, through our contract with the MSP, over our information systems, we do not have control over the information systems of our hotel managers, which are the third-party operators of our hotels and resorts, or of our franchisors. We set clear expectations of our hotel managers and franchisors regarding cybersecurity, but we rely on our hotel managers and franchisors for managing their cybersecurity risk. We conduct surveys of our hotel managers and franchisors to assess their cybersecurity risk management programs and procedures, to identify gaps and request remediation and to understand our risk exposure. Many of our hotel managers and franchisors carry cyber insurance policies to protect and offset a portion of potential costs incurred from a security breach. Additionally, we currently have cyber insurance policies to provide supplemental coverage above the coverage carried by our hotel managers and franchisors.
For additional information about cybersecurity risk, see “Item 1A. Risk Factors—Our hotel managers and we rely on information technology in our operations, and any material failure, inadequacy, interruption or security failure of that technology could harm our business.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have identified cybersecurity risk as one of our key enterprise risks. One of our Co-Presidents is responsible for managing cybersecurity risk. He develops mitigation strategies and implements controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should it occur.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|At least annually, he reports on this risk and related mitigation work to the Audit Committee of our board of trustees, which is the committee that has primary responsibility for overseeing our enterprise risk management program and is composed solely of independent trustees. The Audit Committee reviews and discusses all of our key enterprise risks, including cybersecurity risk, and the enterprise risk management program itself. The chair of the Audit Committee may, at his discretion, report to the Chairman of the Board or the full board of trustees regarding any aspect of the program or risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|At least annually, he reports on this risk and related mitigation work to the Audit Committee of our board of trustees, which is the committee that has primary responsibility for overseeing our enterprise risk management program and is composed solely of independent trustees.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee reviews and discusses all of our key enterprise risks, including cybersecurity risk, and the enterprise risk management program itself.
|Cybersecurity Risk Role of Management [Text Block]
|
We have identified cybersecurity risk as one of our key enterprise risks. One of our Co-Presidents is responsible for managing cybersecurity risk. He develops mitigation strategies and implements controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should it occur. At least annually, he reports on this risk and related mitigation work to the Audit Committee of our board of trustees, which is the committee that has primary responsibility for overseeing our enterprise risk management program and is composed solely of independent trustees. The Audit Committee reviews and discusses all of our key enterprise risks, including cybersecurity risk, and the enterprise risk management program itself. The chair of the Audit Committee may, at his discretion, report to the Chairman of the Board or the full board of trustees regarding any aspect of the program or risks.
As of December 31, 2024, no risk from cybersecurity threats, including as a result of any previous cybersecurity incident, has materially affected our business, results of operations or financial condition. Although we have invested in the protection of our data and information systems and the monitoring of our systems on an ongoing basis, such efforts may not in the future prevent material compromises to our information systems, including those that could have a material adverse effect on our business. We maintain cybersecurity insurance coverage to mitigate our financial exposure to certain incidents, and we consult with external advisors regarding opportunities and enhancements to strengthen our policies and practices.
We have elected to outsource our information technology function to a third-party managed service provider, ("MSP") that specializes in fully managed information technology services and fully managed cybersecurity. The MSP is responsible for managing all of our hosted services, all of the computer and computer-related hardware and software we use, and all onsite and offsite backups. The MSP also provides managed security services designed to prevent cybersecurity threats, to identify and remediate vulnerabilities, to monitor systems 24/7, to protect data and systems, to detect potential intrusions and cybersecurity incidents, to quarantine systems should they be compromised, and to recover from business interruptions or other disasters. The MSP follows the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology of the U.S. Department of Commerce, to measure the maturity of the services it provides to us and its other clients.
The MSP and we developed a cybersecurity incident response plan that sets forth roles and responsibilities for the identification, assessment, triage, communication and resolution of cybersecurity incidents.
In addition, the MSP performs facility and system penetration tests, compromise assessments and security maturity assessments of our corporate and operational networks. In collaboration with the MSP, we maintain a comprehensive cybersecurity training program to help our personnel identify and assist in mitigating cybersecurity risks. Our executive officers and employees participate in annual training with additional issue-specific training as needed.
While we have control, through our contract with the MSP, over our information systems, we do not have control over the information systems of our hotel managers, which are the third-party operators of our hotels and resorts, or of our franchisors. We set clear expectations of our hotel managers and franchisors regarding cybersecurity, but we rely on our hotel managers and franchisors for managing their cybersecurity risk. We conduct surveys of our hotel managers and franchisors to assess their cybersecurity risk management programs and procedures, to identify gaps and request remediation and to understand our risk exposure. Many of our hotel managers and franchisors carry cyber insurance policies to protect and offset a portion of potential costs incurred from a security breach. Additionally, we currently have cyber insurance policies to provide supplemental coverage above the coverage carried by our hotel managers and franchisors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|One of our Co-Presidents is responsible for managing cybersecurity risk. He develops mitigation strategies and implements controls to reduce the likelihood of a cybersecurity incident occurring and to reduce the impact of such an incident should it occur.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our executive officers and employees participate in annual training with additional issue-specific training as needed.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
We have elected to outsource our information technology function to a third-party managed service provider, ("MSP") that specializes in fully managed information technology services and fully managed cybersecurity. The MSP is responsible for managing all of our hosted services, all of the computer and computer-related hardware and software we use, and all onsite and offsite backups. The MSP also provides managed security services designed to prevent cybersecurity threats, to identify and remediate vulnerabilities, to monitor systems 24/7, to protect data and systems, to detect potential intrusions and cybersecurity incidents, to quarantine systems should they be compromised, and to recover from business interruptions or other disasters. The MSP follows the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology of the U.S. Department of Commerce, to measure the maturity of the services it provides to us and its other clients.
The MSP and we developed a cybersecurity incident response plan that sets forth roles and responsibilities for the identification, assessment, triage, communication and resolution of cybersecurity incidents.In addition, the MSP performs facility and system penetration tests, compromise assessments and security maturity assessments of our corporate and operational networks. In collaboration with the MSP, we maintain a comprehensive cybersecurity training program to help our personnel identify and assist in mitigating cybersecurity risks. Our executive officers and employees participate in annual training with additional issue-specific training as needed
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef