TANGER INC. - (SKT)

10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY

Risk management and strategy

We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.

Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems are necessary for the operation of our business. We use these systems, among others, to manage our tenant relationships, for internal communications, for accounting to operate our record-keeping function, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data.

Managing Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our technology department continuously identifies, evaluates and manages material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and tenant data in alignment with our business objectives and operational needs.

Engage Third-parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties include regular monitoring, threat assessments, and consultation on security enhancements. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement.

We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company or the Operating Partnership, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this Annual Report, including the risk factor entitled “Cyber-attacks or acts of cyber-terrorism could disrupt our or our third-party providers' business operations and information technology systems or result in the loss or exposure of confidential or sensitive customer, employee or Company information”, for additional discussion about cybersecurity-related risks.

Governance

The Board is focused on the critical nature of managing risks associated with cybersecurity threats. The Board has delegated to its Audit Committee oversight of management's processes for identifying and mitigating risks, including cybersecurity-related risks, to help align our risk exposure with our strategic objectives.

Board of Directors Oversight

The Audit Committee of the Board oversees our annual enterprise risk assessment, where we assess key material risks within our Company, including technology risks and cybersecurity threats. The Audit Committee engages in regular discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include the Company’s risk assessment and risk management policies.

31



Management’s Role Managing Risk

Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management ("ERM") process. Cybersecurity related risks are included in the population that the ERM function evaluates to assess the top risks to the enterprise on a quarterly basis. To the extent the ERM process identifies a heightened cybersecurity related risk, management develops risk mitigation plans to minimize the risk. The ERM annual risk assessment is presented to the Audit Committee of the Board.

Monitor Cybersecurity Incidents

The Senior Vice President of Information Technology ("SVP IT") is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The SVP IT implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we believe we have a well-defined incident response plan governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident.

Depending on the nature and severity of an incident, this process provides for evaluation by an executive management group to determine if the incident is material to us by evaluating the impact on our financial condition, reputation and potential litigation risk and regulatory impact. The management group is comprised of the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, General Counsel, Chief Accounting Officer and the SVP IT to determine if escalation is necessary by the Chief Executive Officer to the Board (specifically our Lead Independent Director and the Audit Committee Chair).

Reporting to Board of Directors

The SVP IT plays a pivotal role in informing the Audit Committee on cybersecurity-related risks. The Audit Committee holds quarterly meetings and the SVP IT provides periodic reports, on at least a quarterly basis, to the Audit Committee.

These reports cover a broad range of topics, including:

Status of ongoing cybersecurity initiatives and strategies;
Incident reports and learnings from any cybersecurity events; and
Compliance with regulatory requirements and industry standards

The SVP IT regularly informs our executive management group of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity environment and potential risks facing us. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

As of the date of this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.

32