SAUL CENTERS, INC. - (BFS)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Company maintains a documented information security program, under the supervision of its Chief Information Officer (“CIO”), that is designed to protect the infrastructure, information systems, and the information in Company systems from unauthorized access, use, or other malicious acts by enabling the organization to identify risks, implement protections, and detect and respond to cybersecurity events. Our information security program covers multiple aspects of security management, including, but not limited to: data handling and classification; user access controls and management; business continuity and disaster recovery; configuration management; asset management; risk assessments; data disposal; record retention; information security incident response; vulnerability and patch management; network security and monitoring; physical and environmental controls; data privacy; vendor and third party risk management; multi-factor authentication; and cybersecurity awareness training. The CIO has over 25 years of professional, cross-discipline information technology experience in various industries including real estate, financial services, government, and hospitality. The Vice President of Cybersecurity, reporting directly to the CIO, has over 18 years of information technology experience and is a Certified Information Systems Security Professional (“CISSP”). Both have been with the Company for over a decade.
23


The Company performs an annual risk assessment that includes identifying, assessing and documenting how cybersecurity and privacy risks are evaluated; establishes criteria to evaluate the confidentiality, integrity, and availability of Company systems and nonpublic information; documents how existing controls address identified risks; and leads to the revision of controls as appropriate. In addition, dedicated information technology and executive personnel convene quarterly to examine operational aspects of cybersecurity.
The Company maintains an incident response plan that is designed to quickly respond to cyber security related incidents in a manner that protects its own information and the information of the Company’s customers and tenants as outlined in the incident response plan. The incident response plan establishes a primary incident coordinator, incident response teams, workstreams, escalation paths, and contacts to be engaged in an incident. The Company conducts scheduled tests of its incident response plan to verify that the teams understand how to respond to cyber threat scenarios.
The Company contracts with third parties to periodically conduct penetration testing. The Company’s internal audit team also periodically conducts a risk-based cybersecurity audit and, as part of such audit, engages third parties to conduct detailed security assessments, including adversary simulations, technical remediation validation and reporting of results. The Company’s internal audit team prepares cybersecurity audit reports in accordance with appropriate standards and reports findings and recommendations to Company management. The audit reports and management’s responses, including descriptions of any corrective actions taken, are then reported to the Audit Committee and the Board of Directors. Cybersecurity threats, possible security events, and ongoing security enhancement initiatives are regularly discussed and tracked with the CIO, VP of Cybersecurity, and other senior IT team members through regularly scheduled, collaborative meetings and more frequently as the subject matter merits. Preventative security measures are shared with Management through regularly scheduled IT steering committee meetings. The Audit Committee is apprised of cybersecurity controls, known and perceived risks, remediation of those risks, and other measures via the Chief Audit Executive, through direct briefings, or in writing (by the CIO and/or designee). Our incident response policy/plan requires that key Company executives and the Audit Committee are informed of and involved with any confirmed cybersecurity incident (including mitigation/remediation). Company IT acceptable use policies require that employees report any security incidents to IT and his/her supervisor. Regularly scheduled Company training courses and security bulletins reinforce security awareness.
The Company has designed a third-party risk management program, under the supervision of its Chief Data Privacy Officer, that is designed to manage third-party providers through the lifecycle of the relationship. This includes assessing the vendors based upon their criticality and inherent risk, analyzing the risk posed, performing due diligence prior to contract execution, and conducting annual monitoring of risk and performance. Due diligence activities include an assessment of the minimum cybersecurity controls (specifically, data handling practices, encryption, and cybersecurity event management) to enable the Company to verify that third-party controls meet our expectations and contractual commitments.
Cybersecurity processes have been integrated into the Company’s broader framework of risk management. The Company’s Board of Directors exercises oversight of cybersecurity risks. The Board of Directors entrusts the Audit Committee with responsibility for regularly reviewing and assessing cybersecurity risks to ensure a proactive approach to safeguarding the Company’s digital assets. The Audit Committee’s primary role is to provide an independent and objective assessment of the Company's cybersecurity risk management practices to confirm that they are both effective and aligned with the Company’s strategic objectives. The Audit Committee also reports its findings and recommendations to the Board of Directors, helping the Board of Directors to make informed decisions regarding cybersecurity strategy, investments, and risk. Notwithstanding the Company's efforts, the Company is aware that preventative measures cannot prevent all cybersecurity incidents. For a detailed discussion of risks from cybersecurity threats, please see “Item 1A. Risk Factors.”