Armada Hoffler Properties, Inc. - (AHH)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
Cybersecurity represents a critical component of our overall approach to risk management. We generally approach cybersecurity threats through a cross-functional, multilayered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to us; (ii) preserving the confidentiality, security, and availability of the information that we collect and store to use in our business; (iii) protecting our intellectual property; (iv) maintaining the confidence of our tenants, customers, clients, and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when applicable. Additionally, we maintain a cyber insurance policy that covers loss of data and associated recovery, loss of revenue due to business interruptions from a cybersecurity event, loss of transferred funds from events such as fraud and social engineering, and loss of funds from computer fraud and extortion.
Processes for Assessing Cybersecurity Threats
We manage cybersecurity threats by employing a comprehensive process that is integral to our overall risk management framework. Our risk management approach is designed to be aligned with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2017 Enterprise Risk Management (“ERM”) framework. This system includes a risk assessment process specifically designed to identify information technology (“IT”) and cybersecurity risks that could be material to our organization.
i.Integration into the COSO-Based Enterprise Risk Management Framework
Our overall risk management system provides a structured and consistent approach to risk identification, assessment, and response, including those related to cybersecurity. The integration of cyber risks into our ERM framework underscores our commitment to upholding a robust governance structure that emphasizes the protection of our information systems. We also have in the past year engaged a third-party consultant to conduct a detailed risk assessment workshop utilizing the Center for Internet Security (CIS) framework v8. Additionally, our internal audit department performs periodic assessments of the design and operating effectiveness of our cybersecurity controls.
ii.Engagement with Third Parties
We maintain strategic partnerships with third-party assessors, consultants, and auditors to enhance our defense mechanisms. This includes the use of third parties for penetration testing and log evaluation, and network monitoring to assist in rapid identification and mitigation of any suspicious network access to ensure the effective detection and mitigation of cybersecurity threats. The results of such tests and assessments are reported to our audit committee and our board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the tests and assessments.
iii.Oversight of Third-Party Service Providers
Our vendor risk assessment program is designed to identify, evaluate, and manage risks associated with third-party service providers. As a part of this program, we regularly review third-party attestation reports, such as SOC 1 and SOC 2, for key service providers to validate the effectiveness of their cybersecurity policies and controls. This ensures alignment with our standards for cybersecurity.
Additionally, we require all vendors with whom we have a direct contract or agreement, with limited exceptions, to comply with the Vendor Code of Business Conduct. Vendors are required to maintain the confidentiality of information entrusted to them by us. Additionally, the Vendor Code of Business Conduct provides instructions for vendors to report violations confidentially.
Impact of Cybersecurity Threats
Cybersecurity threats have the potential to negatively impact us due to the use of information technology within our business, and by our suppliers, business partners, and tenants. See “Risk Factors—Risks Related to Our Business—A cybersecurity incident or other technology disruptions could negatively impact our business, our relationships, and our reputation.” of Item 1A above for a discussion of cybersecurity risks and the potential impact on us.
Governance
Board Oversight
Our board of directors, including through delegation to our audit committee, exercises oversight over cybersecurity risks and controls. Our audit committee and board of directors regularly receive updates (including, in the case of our audit committee, quarterly updates) from our Chief Financial Officer and other members of management regarding the status of
41
cybersecurity initiatives and the effectiveness of our internal control system related to information security. In connection with such updates, our board of directors and audit committee discuss our approach to cybersecurity risk management with management. Additionally, the audit committee periodically receives presentations from third-party cybersecurity experts to remain informed of developments in cyber risk and mitigation. Our board of directors and audit committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed.
Management’s Role
Management plays a critical role in cybersecurity risk assessment and management. The key roles and responsibilities are summarized as follows:
i.Management Responsibilities
Key management personnel, tasked with cybersecurity risk management, are equipped with expertise that encompasses extensive experience in cybersecurity, academic credentials, and professional certifications. Specific cybersecurity expertise and certifications held by management include bachelor’s degrees in technology and network security, industry certifications (CompTIA A+, CompTIA Network+, CompTIA Security+, Microsoft Certified Professional, Cisco Certified Network Associate), and public sector (military) experience in network security. Management personnel hone their skills to meet new demands through continuing professional development. Additionally, all employees are subject to ongoing cybersecurity training.
Members of management report to our Chief Financial Officer who is the member of management that is principally responsible for overseeing our cybersecurity risk management program. Our Chief Financial Officer holds an undergraduate and graduate degree in economics and has over 14 years of experience with managing risks at the Company and in environments similar to the Company’s, including risks arising from cybersecurity threats. Additionally, our Director of IT has served in various roles in information technology and information security for over 23 years. Our Director of IT holds an undergraduate degree in information technology and has attained the following professional certifications: CompTIA Network+, CompTIA Security+, Microsoft Certified Professional, Cisco Certified Network Associate, and Department of Defense Information Assurance Technical, Level II. Further, our Director of Corporate Business Systems holds a Bachelor of Science degree in Construction Science and Management and has over 8 years of experience with software implementations, technology innovation, and corporate business systems.
ii.Monitoring
The management team ensures the implementation of robust monitoring protocols for preventing, detecting, mitigating, and remediating cybersecurity threats. We use a ‘defense in layers’ approach which constitutes a cybersecurity strategy that involves the use of multiple types of securities measures, each designed to protect against a different vector of attack. As noted above, management is supported by third-party monitoring, next-generation hardware, and automated logging analysis. We utilize third parties for penetration testing and log evaluation, which provides 24/7 network monitoring to assist in rapid identification and mitigation of any suspicious network access. We maintain an Incident Response Plan, based on guidance within the National Institute of Standards and Technology's Computer Security Incident Handling Guide, which provides an escalation policy for identified security incidents. Our escalation policy details specific escalation processes by which senior leadership (Director of IT, Chief Financial Officer, and Chief Executive Officer) are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents.
iii.Reporting to the Board
There is a structured reporting mechanism in place through which our Chief Financial Officer regularly updates our audit committee on cybersecurity risk management efforts, thus facilitating informed oversight by the board. Further, our Chief Financial Officer and IT personnel monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents in real time, and report such incidents to our audit committee and/or board of directors when appropriate.