CEDAR REALTY TRUST, INC. - (CDR.PB)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
The Company depends on the proper functioning, availability and security of its information systems, including financial, data processing, communications and operating systems. Several information systems are software applications provided by third parties. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, like other companies in our industry, we could, from time to time, experience threats and security incidents related to our and our third-party vendors' information systems, including attempts to gain unauthorized access to our confidential data, and other electronic security breaches. Such cybersecurity attacks can range from individual attempts to gain unauthorized access to our information technology systems to more sophisticated security threats. While we employ a number of measures to prevent, detect and mitigate these threats, there is no guarantee such efforts will be successful in preventing a cybersecurity attack. A cybersecurity attack could compromise the confidential information of our employees, tenants and vendors. A successful cybersecurity attack could disrupt and otherwise adversely affect our business operations.
Assessment, identification and management of cybersecurity related risks are integrated into our overall risk management process. Cybersecurity related risks are included in the risk universe we evaluate to assess top risks to the Company at least annually. To the extent our processes identify a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion.
Cybersecurity Governance
Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity risk strategy and governance and of other information technology risks to the Audit Committee of the Board of Directors (the "Audit Committee"). The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. Senior management, including the Company's CEO, CFO, and General Counsel, is responsible for assessing and managing cybersecurity risk, and provides briefings regarding the assessment and management of such risk to the Audit Committee, which then reports, as necessary, to the Board of Directors. Although members of our senior management do not have direct cybersecurity expertise obtained through certifications, their experience managing the Company, which includes consulting and coordinating as necessary with a third party information technology expert referred to below, enables them to effectively assess and manage material risks from cybersecurity threats.
The Company retained an information technology expert third party company to assist in managing relevant risks. In particular, the Company outsources its information technology function and monitoring to a third party provider whereby it benefits from a professionally managed network monitoring, management, maintenance, detection and response system and a 24/7 security operations center with both onsite and remote support services. Any cybersecurity incident would be reported to the Company promptly by our third party consultant and material and potentially material incidents would be assessed by management and the Audit Committee for remediation and future prevention and detection.
The Company, at least annually, updates its policies or procedures that could help mitigate cybersecurity risks. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. The Company has incorporated cybersecurity coverage in its insurance policies; however, there is no assurance that the insurance the Company maintains will cover all cybersecurity breaches or that policy limits will be sufficient to cover all related losses.
8