STRATUS PROPERTIES INC - (STRS)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our information systems and the information stored on those systems. Our program is integrated into our overall risk management program and shares common reporting channels and governance processes that apply across our risk management program to other legal, compliance, operational and financial risk areas.
Our cybersecurity risk management program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications or requirements, but only that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program includes:
•a cybersecurity policy outlining our procedures for the protection of our information systems and the information stored on those systems;
•risk assessments designed to help identify material cybersecurity risks to our information systems and the information stored on those systems;
•a team of employees (as further described below) responsible for managing our cybersecurity risk assessment processes, our security controls and our response to cybersecurity incidents;
•cybersecurity awareness training of our employees;
•the use of external service providers that assess, test and otherwise assist with aspects of our cybersecurity controls;
•the use of security information and event management software tools to help protect against, detect, analyze and respond to cybersecurity threats;
•an incident response plan that includes procedures for responding to cybersecurity incidents; and
•a cybersecurity risk management process with respect to third-party service providers.
We have focused on strengthening our cybersecurity risk management program during the past few years and intend to continue to improve our program, including through additional processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. We have experienced cybersecurity incidents in the past and may experience them in the future. However, we have not experienced any risks from cybersecurity threats, including as a result of prior cybersecurity incidents, that have materially affected us or that we believe are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For information about risks from cybersecurity threats that could be reasonably likely to materially affect us, please refer to “Our business may be adversely affected by cybersecurity incidents or other disruptions to our information systems or our contractors’ information systems” included in Item 1A. “Risk Factors.”
Cybersecurity Governance
Our Board considers risks from cybersecurity threats as part of its risk oversight function and has delegated to the Audit Committee oversight of our information and technology security policies and the internal controls regarding information and technology security and cybersecurity risks.
The Audit Committee receives periodic reports from our Chief Financial Officer on our cybersecurity risks and cybersecurity risk management program. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from our Chief Financial Officer on our cybersecurity risks and cybersecurity risk management program.
We have an information technology (IT) Steering Committee consisting of senior management that is responsible for establishing IT priorities for Stratus and providing input and guidance on IT issues, including cybersecurity matters and incident response. Our IT Steering Committee is led by our IT Director and includes senior members from Stratus’ different departments.
23
We have an IT Security Team consisting of our IT Director and Network Administrator/Security Analyst responsible for monitoring our information systems for cybersecurity threats and incidents, detecting and analyzing cybersecurity incidents, and reporting cybersecurity incidents to our Incident Response Team (described below). Our IT Security Team is led by our IT Director. Our IT Security Team may also include one or more external IT technical experts depending on the nature and scope of any particular cybersecurity threat or incident.
We have an Incident Response Team consisting of management personnel that is responsible for promptly responding to cybersecurity incidents. Our Incident Response Team is led by our Chief Financial Officer and includes our IT Director, Network Administrator/Security Analyst, Vice President – Finance, and General Counsel. Our Incident Response Team may also include one or more external IT technical experts and subject-matter experts depending on the nature and scope of any particular cybersecurity incident. As our Incident Response Team leader, our Chief Financial Officer is responsible for reporting any significant cybersecurity incident to our Chief Executive Officer, Audit Committee, and Board.
Our Chief Financial Officer has over 25 years of experience supervising public company IT departments. Our IT Director has 25 years of experience in the development, implementation and maintenance of public company information systems with a focus on network and IT infrastructure security; four years of experience in cybersecurity matters, including identifying and assessing cybersecurity risks and developing and implementing cybersecurity risk management strategies and programs; and has completed educational programs in cybersecurity risk management. Our Network Administrator/Security Analyst holds a Master of Science degree in Cybersecurity from a Center of Academic Excellence in Cyber Defense designated university and has two years of experience working with our information systems, including endpoint security software and Security Information and Event Management tool management.