Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We have engaged a third-party IT and cybersecurity firm to assist us in protecting us from cybersecurity threats. Our IT partner has been in business for over 33 years and has a national footprint of 175 offices nationwide. In addition to assessing our own cybersecurity preparedness and as part of our overall cybersecurity risk management framework, we also consider and evaluate cybersecurity risks associated with our use of third-party service providers.

Processes and procedures include:

●

TPG’s Corporate IT footprint and systems are not used to process guest transactions. Corporate systems do not have connectivity to any hotels.

●

All IT assets and infrastructure are monitored 24/7/365 through a combination of MDR, SIEM software and a fully staffed 24/7 SOC.

●

We have continuous monitoring for viruses, intrusions, and malicious activities.

●

We deploy a sophisticated blend of layered security that protects systems and data that exist or operate within partitioned/segregated networks.

●

Employee cybersecurity training and phishing email training are required for all employees and is performed monthly to continually enhance awareness and responsiveness.

●

We do not store any customer data input during the reservation process. The customer reservation systems are specified, implemented, and managed by the global hotel brands.

●

Each hotel or operating asset within our portfolio is a standalone network. Therefore, if a security breach were to occur at one location, it is fully isolated from other properties or networks.

●

We deploy stringent email filtering that prohibits incoming messages from insecure email systems (i.e., gmail, yahoo, aol, etc.) that are known to carry viruses, spyware, crypto ransom, etc.

●

We perform regular internal and external penetration tests at the hotel property level.

●

We have in place a Cybersecurity Incident Response plan that dictates the process for responding to incidents and remediation of events.

●

We have relationships with third-party business partners to assist with cybersecurity as well as assess their cybersecurity risks.

●

We utilize Self-Assessments using industry standards and benchmarks to identify cybersecurity incidents and threats that could potentially impact the company.

●

Our IT internal controls are audited by an external audit firm as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls.

We or our third-party manager currently maintain cybersecurity insurance policies that provide coverage for security incidents. Although the risks we face from cybersecurity threats are many and change daily, in the last three fiscal years, we have not experienced any cybersecurity incidents that have materially affected our operations, strategy, financial positions or operations. In addition, as of the date of this Annual Report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations and financial condition. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors — Risks Relating to Our Business — We are increasingly dependent on information technology, and potential cyber-attacks, security problems or other disruption and expanding social media vehicles present new risks.”

Despite the policies and procedures that have been implemented to ensure the integrity of our IT systems, we may not be effective in identifying and mitigating every risk in which we are exposed to, especially newly identified vulnerabilities. Furthermore, the hospitality environment requires that the hotels access information in third party environments that are managed, hosted, and provided by others. As such the company will have difficulties in anticipating and implementing preventive measures that mitigate the harm should a break occur.

Cybersecurity Risk Management Processes Integrated [Text Block]

Processes and procedures include:

●

TPG’s Corporate IT footprint and systems are not used to process guest transactions. Corporate systems do not have connectivity to any hotels.

●

All IT assets and infrastructure are monitored 24/7/365 through a combination of MDR, SIEM software and a fully staffed 24/7 SOC.

●

We have continuous monitoring for viruses, intrusions, and malicious activities.

●

We deploy a sophisticated blend of layered security that protects systems and data that exist or operate within partitioned/segregated networks.

●

Employee cybersecurity training and phishing email training are required for all employees and is performed monthly to continually enhance awareness and responsiveness.

●

We do not store any customer data input during the reservation process. The customer reservation systems are specified, implemented, and managed by the global hotel brands.

●

Each hotel or operating asset within our portfolio is a standalone network. Therefore, if a security breach were to occur at one location, it is fully isolated from other properties or networks.

●

We deploy stringent email filtering that prohibits incoming messages from insecure email systems (i.e., gmail, yahoo, aol, etc.) that are known to carry viruses, spyware, crypto ransom, etc.

●

We perform regular internal and external penetration tests at the hotel property level.

●

We have in place a Cybersecurity Incident Response plan that dictates the process for responding to incidents and remediation of events.

●

We have relationships with third-party business partners to assist with cybersecurity as well as assess their cybersecurity risks.

●

We utilize Self-Assessments using industry standards and benchmarks to identify cybersecurity incidents and threats that could potentially impact the company.

●

Our IT internal controls are audited by an external audit firm as part of our Sarbanes-Oxley Act compliance activities, and this process includes assessing the design and operating effectiveness of those controls.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our board of directors is responsible for overseeing our policies and practices related to corporate governance including cybersecurity risks as well as challenges to our business from evolving technology systems, such as generative artificial intelligence and machine learning. On a quarterly basis, our board of directors and audit committee receive a report from management on our cybersecurity threat risk management processes and strategies. Outside of quarterly meetings, our board of directors and audit committee are notified following any cybersecurity incident and meet to address and identify the cybersecurity threat’s severity levels. Our board of directors and audit committee also review management’s materiality assessment regarding any cybersecurity incident requiring disclosure to the SEC.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

On a quarterly basis, our board of directors and audit committee receive a report from management on our cybersecurity threat risk management processes and strategies.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our IT partner has been in business for over 33 years and has a national footprint of 175 offices nationwide.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true