MACERICH CO - (MAC)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
Cyber Risk Management and Strategy
The Company, under the oversight of the Audit Committee of its Board of Directors, has implemented and maintains a cybersecurity risk management program that includes processes for the systematic identification, assessment and treatment (through mitigation, transfer, avoidance and/or acceptance) of cybersecurity risks. This program extends to third-party vendors and the various properties under the Company’s management, including corporate and commercial properties, through establishing vendor risk requirements and conducting vendor risk assessments.

This risk management program addresses, but is not limited to, risks identified by external auditors and assessors, internal auditors and assessors, threat intelligence providers, internal stakeholders, vulnerability management programs and security management programs. An internal audit team at the Company manages and maintains remediation strategies for identified risks, and reports on them regularly to senior leadership. As part of the Company’s cyber risk management program, the Company has engaged external independent assessors to conduct cyber risk assessments, evaluate cyber risk management controls, and report both findings and recommendations to management.

The Company, like other companies in its industry, faces a number of cybersecurity risks in connection with its business. Although such risks have not materially affected the Company, including its business strategy, results of operations or financial condition, to date, the Company has, from time to time, experienced threats to and security incidents related to its data and systems. For more information about the cybersecurity risks the Company faces, see Item 1A. Risk Factors.
Governance Related to Cybersecurity Risks

The Company’s cyber risk management program and related operations and processes are directed by the Senior Vice President of Information Technology (the “SVP-IT”). Currently, the SVP-IT role is held by an individual who has over twenty five years of cybersecurity, information technology and systems engineering experience. The SVP-IT meets with the Chief Financial Officer and Chief Legal Officer quarterly to monitor and review the outcomes of the Company’s cybersecurity risk management processes and to discuss and decide matters related to cybersecurity risk treatment strategy (including mitigations).
The Company also formed the Business Continuity Plan ("BCP") and Cyber Security Risk Committee (the “Security Committee”), which oversees the prioritization and escalation of risks from cybersecurity threats to senior leadership, is chaired by the SVP-IT and the Executive Vice President of Portfolio Operations and People. The Security Committee reports to the Chief Financial Officer and Chief Legal Officer, and the committee’s members include senior company leadership responsible for asset management, risk management, marketing, and business development. Collectively, the Security Committee members possess experience in information security, risk management, oversight and legal compliance.
The Company’s Board of Directors plays an important role in risk oversight and discharges its duties both as a full board and through its committees. The Board has delegated oversight of risk management matters, including cybersecurity and information technology matters, to its Audit Committee. As reflected in the Audit Committee charter, the committee is responsible for reviewing information technology, cybersecurity and other data protection strategies and plans, as well as assessing incident response protocols. The Security Committee provides quarterly reports to the Audit Committee and the SVP-IT attends board meetings yearly, or more frequently as appropriate, to inform the Company’s Board of Directors on cybersecurity risks.
Additionally, the Company is subject to the requirements of the Sarbanes-Oxley Act of 2002 and information technology general controls are an important part of the Company's internal control over financial reporting and are subject to controls testing. Control deficiencies that represent cybersecurity risks would be reported by management to the Audit Committee.
29