Information Technology and Cybersecurity

The Company depends on the proper functioning, availability, and security of its information systems, including financial, data processing, communications, and operating systems, as well as proprietary software programs that are important to the efficient operation of the business. The Company also utilizes software applications provided by third parties, grants limited access to the Company’s systems to third parties providing specific outsourced functions or other services, and increasingly stores and transmits data using connected information technology or “cloud” systems. Any significant failures or disruptions of the Company’s critical information systems, including ransomware attacks or other cyber incidents, that impact the availability or other proper functioning of these systems or that result in the compromise of sensitive or confidential information, including information of tenants, employees, and others, could result in liability for the Company to third parties and have a significant impact on the Company’s operations and reputation.

Additionally, the Audit Committee, which consists solely of independent directors, is responsible for overseeing cybersecurity risks and related initiatives. The Audit Committee reviews our enterprise risk and cybersecurity risks. It also reviews the steps management has taken to protect against threats to our information systems and security and receives updates on cybersecurity on a quarterly basis.

The Company’s internal audit team annually assesses and reviews the risks posed to the security of the Company’s networks, including a review of system and process assurance for information technology and application controls, and takes into account certain frameworks and policies. The Company’s internal audit team also reviews the Company’s fraud assessment and confirms IT management’s oversight of its cybersecurity policies. The Company’s management team reviews the findings, if any, of these assessments, assesses the identified risks, and takes action based on the Company’s risk profile. In order to assess the risks posed to the Company’s information systems by third-party service providers and vendors, the Company’s internal audit services team evaluates new software and network application vendors’ contracts, internal policies, certifications, and System and Organization Controls (“SOC”) reports during the procurement of solutions and services.

To mitigate the risk and impact of any cybersecurity incidents on the security and availability of the Company’s networks, the Company’s information technology systems are protected through physical and software safeguards and backup procedures the Company considers appropriate. The Company contracts with independent cybersecurity providers for security event incident management, end-point detection and incident response monitoring, and security incident response services. Additionally, the Company has deployed a layered approach to network intrusion detection and protection using technology provided by industry-leading companies. The information technology department also performs timely system and security updates to maintain current software versions and apply appropriate security updates to reduce the Company’s risk.

The Company has also implemented various safeguards to protect the availability of its data and the integrity of its network, including redundant telecommunication facilities, replicating critical data and backups to multiple off-site locations, a fire suppression

system to protect the Company’s on-site data center, and electrical power protection and generation facilities. The Company also has a catastrophic disaster recovery plan and alternate processing capability available for its critical data processes in case of a catastrophe that renders the primary data center unusable.

The Company conducts bi-annual cybersecurity awareness training for all employees, new-hire cybersecurity training, periodic simulated phishing tests, and additional training for specific departmental requirements as part of the Company’s risk mitigation efforts. The Company also maintains cybersecurity insurance; however, there is no assurance that the insurance the Company maintains will cover all cybersecurity breaches or that policy limits will be sufficient to cover all related losses.

Under the leadership of the Company’s Senior Vice President of Information Technology, the Company’s information technology department is primarily responsible for assessing and managing material risks to the Company’s information systems. Certain members of the Company’s information technology department, including the Senior Vice President of Information Technology, have obtained specialized security certifications and have prior work experience in various roles involving technology and security. The Company has established an internal Security and Privacy Governance Committee, comprised of the Senior Vice President of Information Technology and other senior members of management that generally meets quarterly. This committee receives updates from the Company’s information technology department with respect to the implementation of various systems and security measures, the Company’s cybersecurity training and awareness program, enhancements or modifications to the security program, and the impacts of such changes to the Company’s information security risk environment. The Company has adopted a Cybersecurity Incident Response Plan, which requires communication of cybersecurity incidents to varying levels and personnel within the organization depending on the severity of the threat impact and encompasses tactics related to cybersecurity, systems and facilities availability, and information privacy.

The Board of Directors has specifically delegated oversight of the Company’s cybersecurity risks and related practices to the Audit Committee of the Board of Directors through the committee’s charter. At least once each year, senior members of the Company’s information technology team (including the Senior Vice President of Information Technology) and internal audit services team brief the Audit Committee on information security matters, including results from risk assessments, the Company’s policies and its internal control function.

The Company has experienced issues related to malware, email phishing, and other events intended to disrupt information systems, wrongfully obtain valuable information, or cause other malicious events that could have harmed the Company’s information systems. To the best of the Company’s knowledge, these threats have not materially affected the Company, nor have they materially obstructed the availability of its information systems and data. Although no assurances can be given, the Company does not believe that such threats are reasonably likely to materially affect the Company in the future. See Item 1A. Risk Factors under the caption “Risks Related to the Company’s Business, Properties and Strategies—A Disruption, Failure or Breach of the Company’s Networks or Systems, Including as a Result of Cyber-Attacks, Could Harm Its Business.”