GOVERNANCE AND TRANSPARENT REPORTING
INTRODUCTION
SUSTAINABILITY OBJECTIVES AND STRATEGY
ENVIRONMENTAL
CORPORATE CITIZENSHIP
APPENDICES
ETHICS AND COMPLIANCE
ESRT’s Code of Business Conduct and Ethics applies to our board, directors, officers, and colleagues and is reviewed and overseen by our Nominating and Corporate Governance Committee. We train our colleagues on the Code on an annual basis and provide additional compliance training on key topics, which include insider trading, anti-harassment and discrimination, and cybersecurity. All colleagues are required to reaffirm their compliance with the Code annually. ESRT is committed to provide a positive work environment and recognizes freedom of association and the right to collective bargaining. 64% of our colleagues are covered by a collective bargaining agreement. The company actively monitors internal compliance with its Code of Business Conduct and Ethics. Colleagues are required to speak up about misconduct and report suspected or known Code violations. The Code prohibits retaliation against anyone who raises an issue or concern in good faith. Any waiver of the Code for our directors or executive officers may be made only by our board or one of our board committees. We intend to disclose on our website any amendment to or waiver of any provision of the Code that would be required to be disclosed under the rules of the U.S. Securities and Exchange Commission or the NYSE. CYBERSECURITY We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies and procedures, which are integrated into the company’s overall risk management framework. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. We partner with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes, which include a Managed Security Services Provider (MSSP) that provides a 24x7x365 Security Operations Center (SOC), regular phishing tests, cybersecurity training, and an annual penetration test. Additionally, our management team has developed a cyber incident response plan to deploy in the event of a cyber threat. This plan is reviewed and updated annually and tested through tabletop exercises that involve management and other key personnel, the board, and outside experts. Department heads are required to consider key technology systems used by their respective teams and the impact to the company and other stakeholders in the event such systems were compromised or unavailable as part of regular business continuity planning. Our Chief Technology Officer (CTO) leads the assessment and management of cybersecurity risks and reports quarterly to the Audit Committee on technology-related programs, strategies, and risks, which include cybersecurity risks.
TRAINING All colleagues must complete mandatory training annually, which includes but is not limited to: • Sexual Harassment • Harassment and Discrimination • Ethics and Whistleblower Mechanism • Insider Trading • Corporate Compliance Manual • Cybersecurity Compliance • Employee Handbook
61
2024 SUSTAINABILITY REPORT
Made with FlippingBook. PDF to flipbook with ease