GOVERNANCE AND TRANSPARENT REPORTING
INTRODUCTION
ENVIRONMENTAL
CORPORATE CITIZENSHIP
APPENDICES
Business Ethics
Board and Management Oversight
Stakeholder Engagement
Transparent Disclosure
Risk and Crisis Management
Resilience
Green Finance
Human and Labor Rights
Occupational Health and Safety
Business Ethics ESRT’s Code of Business Conduct and Ethics applies to our board, directors, officers, and colleagues, and is reviewed and overseen by our Nominating and Corporate Governance Committee. We provide mandatory annual training on the Code to all colleagues, along with additional compliance training on key topics such as insider trading, anti-harassment and discrimination, and cybersecurity. All colleagues are required to reaffirm their compliance with the Code each year. ESRT is committed to provide a positive work environment and recognizes both freedom of association and the right to collective bargaining. As of December 31, 2025, ESRT employed 642 people, of whom approximately 407 are covered by collective bargaining agreements. The company actively monitors internal compliance with its Code of Business Conduct and Ethics. Colleagues are encouraged to speak up about misconduct and report any suspected or known violations. The Code strictly prohibits retaliation against anyone who raises a concern in good faith. Any waiver of the Code for our directors or executive officers may only be granted by our board or one of its committees. We intend to disclose on our website any amendment to or waivers of provisions of the Code that would be required to be disclosed under the rules of the U.S. Securities and Exchange Commission or the New York Stock Exchange (NYSE). Cybersecurity We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems in accordance with our cybersecurity policies and procedures, which are integrated into the company’s overall risk management framework. To protect our information system, we employ a range of security tools that enable us to identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. We also partner with third parties to evaluate the effectiveness of our cybersecurity prevention and response systems. These efforts include a partnership with a Managed Security Services Provider (MSSP) that operates a 24x7x365 Security Operations Center (SOC), regular phishing tests, cybersecurity training, and an annual penetration test. Our management team has developed a cyber incident response plan to be deployed in the event of a cyber threat. This plan is reviewed and updated annually and tested through tabletop exercises that involve management, key personnel, the board, and external experts. Department heads are required to evaluate the key technology systems used by their teams and assess the potential impact on the company and its stakeholders should those systems become compromised. Our Chief Technology Officer (CTO) leads the assessment and management of cybersecurity risks and reports quarterly to the Audit Committee on technology-related programs, strategies, and risks, which include cybersecurity.
Ethics and Compliance Training All colleagues must complete mandatory training annually, which includes but is not limited to:
• Corporate Compliance Manual • Cybersecurity Compliance • Employee Handbook • Ethics and Whistleblower • Harassment and Discrimination • Insider Trading • Sexual Harassment
64 EMPIRE STATE REALTY TRUST 2025 CORPORATE SUSTAINABILITY REPORT
Made with FlippingBook interactive PDF creator