SL GREEN REALTY CORP - (SLG)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company's business and proprietary information, information technology and operational technology assets are important to its success. The Company’s cybersecurity program is designed to protect its information assets and operations from external and internal cyber threats by seeking to mitigate and manage risks while helping to ensure business resiliency. The program is applied across all levels of the Company.
The Company takes a risk-based approach to cybersecurity and has implemented policies that are designed to address cybersecurity threats and incidents, including those related to third-party service providers. The Company assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities and tests those systems pursuant to the Company's cybersecurity standards, processes and practices, as part of the Company's overall risk management system. The Company also leverages external resources and advisors as needed to reinforce its cybersecurity capacity. External consultants perform testing exercises to further assess the Company’s cybersecurity program on an annual basis, or more frequently if circumstances warrant such testing.
The Company’s cybersecurity strategy is guided by prioritized risk, the National Institute for Standards and Technology (NIST) Cybersecurity Framework, and emerging business needs. The Company maintains a cybersecurity incident response plan, as well as a monitoring program, to support senior leadership and the Board.
The Company’s cybersecurity team manages its incident response plan and monitoring program. Company employees are provided cybersecurity awareness training, which includes topics on the Company’s policies and procedures for reporting potential incidents. The Company’s cybersecurity team is focused on evaluating emerging risks, regulations, and compliance matters and updating the policies and procedures accordingly.
To date, cybersecurity risks, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. Refer to the risk factor captioned “Our business and operations would suffer in the event of system failures or cyber security attacks” in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Governance
24


The Board oversees the Company’s risk management process directly and through its committees. Pursuant to the Audit Committee Charter, the Audit Committee of the Board provides compliance oversight to the Company’s risk assessment and risk management policies and the steps management has taken to monitor and mitigate such exposures and risks.
The Company’s Senior Director, Information Security & Network Systems, in coordination with the Senior Vice President, Information Technology, is responsible for leading the assessment and management of cybersecurity risks. The Senior Director, Information Security & Network Systems and Senior Vice President, Information Technology regularly review and assess cybersecurity initiatives and are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through briefings with internal and external personnel as well as alerts from security measures deployed in the Company's IT environment. These individuals collectively have over 30 years of experience in information security. The Senior Vice President, Information Technology reports to the Board, the Audit Committee and management on cybersecurity risk assessment, policies, incident prevention, detection, mitigation, and remediation of cybersecurity incidents on an as needed basis.