SIMON PROPERTY GROUP INC /DE/ - (SPG)
10-K Filing Date: February 22, 2024
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We execute a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity risk management program includes a cybersecurity incident response plan and dedicated cybersecurity incident response team (“CSIRT”). We do not have actual or contractual access to the systems or information maintained by our tenants, who maintain their own cybersecurity risk management programs to protect their operations from various risks from cybersecurity threats.
We use the National Institute of Standards and Technology Cybersecurity Framework and CIS Critical Security Controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not imply that we meet any particular technical standards, specifications, or requirements.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, public relations and financial risk areas.
Our cybersecurity risk management program includes the following key elements:
● | risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology (IT) environment; |
26
● | a team comprised of IT security, infrastructure, and compliance personnel principally responsible for directing (1) our cybersecurity risk assessment processes, (2) our security processes, and (3) our response to cybersecurity incidents, supported by legal, human resources, corporate security and other internal resources; |
● | the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes, which enable us to leverage specialized knowledge and insights, with the goal of ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices; |
● | cybersecurity awareness training of employees with access to our IT systems; |
● | a cybersecurity incident response plan and Security Operations Center (“SOC”) to respond to cybersecurity incidents; and |
● | a third-party risk management process for service providers. |
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See further discussion in Item 1A. Risk Factors.
Cybersecurity Governance
Our Board of Directors considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Audit Committee. The Audit Committee oversees and is regularly updated on management’s design, implementation and enforcement of our cybersecurity risk management program. The Audit Committee is composed of board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks.
Our Chief Financial Officer periodically provides reports to the Audit Committee, and, together with our Chief Technology Officer and Director of Cybersecurity, leads the Company’s overall cybersecurity function. The Audit Committee receives regular reports on our cybersecurity risks, including briefings on our cyber risk management program and cybersecurity incidents. Audit Committee members also receive periodic presentations on cybersecurity, IT and data protection topics.
Our Chief Financial Officer oversees our CSIRT, whose members have years of experience working in cybersecurity and certifications including CISSP (Certified Information Systems Security Professional), CCSP (Certified Cloud Security Professional), CGRC (Certification in Governance of Enterprise IT), GIAC (Global Information Assurance Certification) and GCED (GIAC Certified Enterprise Defender). Our CSIRT supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the IT environment.
The CSIRT is responsible for assessing and managing our material risks from cybersecurity threats. They have primary responsibility for leading our overall cybersecurity risk management program and supervise both our internal cybersecurity personnel and our external cybersecurity service providers.