COPT DEFENSE PROPERTIES - (CDP)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
(a) As discussed in Item 1A, Risk Factors, we face risks associated with security breaches and other significant disruptions of our IT networks and related information systems, which are essential to our business operations. Due to our Defense/IT strategy and the nature of the customers and activities it serves, we may have a heightened likelihood of being targeted for cyber-attacks or -intrusions, including by governments, organizations or persons hostile to the USG.
Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President – Information Technology and Chief Information Officer (our “CIO”), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our “CFO”). Our CIO, a Certified Information Systems Security Professional (“CISSP”) with over 20 years of information systems and information security leadership experience, leads our information technology team members, many of whom have USG security clearances and include one additional CISSP certified team member, in supporting our cybersecurity risk management efforts. This team’s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships.
17
Our information technology team executes a series of preventive, detective and responsive measures aimed towards managing our cybersecurity risks, including the following:
>administering a series of processes and automated tools to monitor and alert for potentially malicious activities and vulnerabilities on our network, systems, applications and devices, with the ability to terminate processes and isolate potential vulnerabilities;
>employing tools and controls to support our efforts in identity and access management and device and user management and authentication;
>ongoing cybersecurity maintenance activities, including scheduled maintenance time windows for comprehensive system updates to occur, with additional ad hoc updates occurring as needed, monitoring of all Company devices for timeliness of security updates and pushing time-sensitive updates to our system infrastructure and devices, as appropriate;
>recurring, redundant backups of our applications, servers and data, with replication to remote storage locations;
>assessing audit reports issued on controls of certain outsourced, or externally-hosted, systems or applications; and
>periodically evaluating our readiness by performing testing of our process and system for responding to cyber events, including our ability to recover following such events.
We engage consultants:
>on an ongoing basis for certain aspects of our information technology team’s recurring monitoring and alert processes and round-the-clock support, as needed; and
>periodically to perform penetration testing and vulnerability scanning of our systems, websites and properties, run or support tabletop exercises and complete cyber risk-based assessments of us.
Organizationally, we aim to further support the forementioned measures through:
>purchase and contracting controls aimed at preventing our entry into purchases or service arrangements: with entities blocked or banned by OFAC or the Federal Trade Commission; or outside of manufacturer authorized distribution channels; and
>education of our employees, including cybersecurity-related training and periodic reminders and promotions regarding potential risks.
Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee’s oversight of our cybersecurity risk. Two members of this committee possess cybersecurity and information systems experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees.
While to date, we have not experienced cybersecurity events that were individually, or in the aggregate, material, we have developed a cyber-incident response playbook that sets forth our process for responding in the event of certain defined cyber incidents. Under our response protocols, following identification of such an incident, our CIO or other members of the information technology team would notify our executive team, which then would notify the Chairman of our Board of Trustees and assemble an Incident Management Team, comprised of certain defined management team members and external consultants, who collectively would assess and monitor the situation and manage internal and external communications.
We also are subject to legal and regulatory requirements that affect our response to cybersecurity-risk management, including the Sarbanes-Oxley Act, state data breach notification requirements and certain requirements under our leases with tenants.
18