Veris Residential, Inc. - (VRE)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
The Company’s information technology, communication networks, system applications, accounting and financial reporting platforms and related systems, and those that are offered to residents and tenants are integral to the operation of the business. The Company utilizes these systems, among others, for financial analysis, management, and reporting, for facilitation of operations, including monitoring and optimization of various building management systems, for initiation, generation, and completion of resident leasing, for internal communications, and for various other aspects of the business.
The Company’s cybersecurity strategy is focused on detection, protection, incident response, security risk management and mitigation, and resiliency of the cybersecurity infrastructure. The Company has implemented or is in the process of continuously evaluating, testing and updating various information security processes and policies designed to identify, assess and manage material risks from cybersecurity threats to the Company’s critical computer networks, third-party hosted services, communications systems, hardware and software, and critical data, including confidential information that is proprietary, strategic or competitive in nature, as well as any personally identifiable information related to the Company’s residents’ and employees’ personal data.
The Company’s cybersecurity risk management relies on a multidisciplinary team, including its information technology and cybersecurity team, legal department, executive management, and third-party service providers to identify, assess, and manage cybersecurity threats and risks. In 2023, the Company expanded its team by adding a full-time Chief Information Security Officer (CISO), reporting directly to the Chief Operating Officer, responsible for managing the internal and
21
external cybersecurity resources. The CISO has over 30 years of experience in corporate enterprise infrastructure and data security management held at a senior management level, acting in both a corporate as well as consulting role within many highly regulated industries. The CISO is responsible for having successfully developed and implemented several cyber security programs within prominent companies within the retail, financial and life science sectors.
The Company identifies and assesses risks from cybersecurity threats by monitoring and evaluating the cybersecurity threat environment and the Company’s risk profile. This multi-faceted approach to cybersecurity includes physical, administrative, and technical safeguards. During the year ended December 31, 2023, the Company began utilizing the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), to assess and report to the Company’s executive management and Board of Directors on the current maturity of operational and procedural controls for securing and safeguarding the Company’s information technology assets. The Company will continue to utilize the NIST CSF to evaluate its cybersecurity controls. In addition to the NIST CSF, the Company also completed third-party technical testing of its information technology systems architecture.
To operate its business, the Company engages certain third-party vendors to perform a variety of functions. The Company seeks to engage reliable, reputable service providers. Depending upon the nature of the services and the sensitivity of the data that a third-party service provider processes, the Company’s vendor management procedures including reviewing the cybersecurity procedures, imposing contractual requirements, and conducting periodic reassessments as needed. The Company seeks to further enhance this review to expand the scope and depth of this analysis.
As a result of these factors, the Company has adopted a strategic multi-year cybersecurity plan. This plan is not meant to be all encompassing as the cybersecurity landscape shifts and evolves, and the Company is continually assessing its risks and the evolving cybersecurity threat landscape. This plan includes implementing additional and/or fortifying existing defenses and capabilities necessary to protect and preserve the integrity of the Company’s information assets and mitigate the risks to the Company’s business operations. As part of this plan, the Company requires regular cybersecurity training for all employees and periodically conducts tests to assess employee comprehension and evaluate training effectiveness.
The Company is not currently aware of any risks from cybersecurity threats nor has the Company had a previously cybersecurity incident that in either case have materially affected or are reasonably likely to materially affect the Company, its business strategy, results of operations or financial condition.
Governance
The Company’s Audit Committee holds oversight responsibility over the cybersecurity strategy and risk management. The Audit Committee engages in regular discussions with executive management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. The Company prepares a quarterly report from the Chief Operating Officer and the CISO which includes updates on the Company’s current cybersecurity maturity, progress on the Company’s previously mentioned multi-year cybersecurity plan, strategy updates to combat changes in the threat landscape, education of employees and executive management on cybersecurity awareness, enhanced cybersecurity defenses, incident response programs and regulatory reporting obligations. The Audit Committee delivers a summary of these reports to the full Board of Directors on a quarterly basis. Furthermore, the Board of Directors receives a direct report from the CISO on no less than an annual basis with interim reports provided when appropriate or necessary.
As part of the Company’s incident response plan, a committee known as the Cyber ERM (Enterprise Risk Management) Committee has been established comprising cross-functional representation across the Company. The Cyber ERM is responsible for implementing a rapid response and incident program in the event of an identified cybersecurity threat and is responsible for reporting all incidents to the Audit Committee and Board of Directors in the case of any cybersecurity incident to enable the Audit Committee and Board of Directors to assess the materiality of any such incident and determine any Exchange Act reporting obligations of the Company in connection therewith.
22