CENTERSPACE - (CSR)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
We have an information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner.
Our Board of Trustees oversees management’s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
A comprehensive approach to assessing, identifying, and managing cybersecurity risks is part of the Company’s overall risk management strategy. A combination of internal and external monitoring services help identify, manage, and assess how management responds within our enterprise risk management processes. Any known known cybersecurity incidents would be reported to our board, chief executive officer, and disclosure committee for evaluation.
We engage third party experts to monitor for and identify cyber threats. Both management and the third party provider receive alerts regarding cyber threats. The third party provider has the ability to act on our behalf to respond to any threats it identifies. We also use, among other things, endpoint monitoring, anti-virus software, multi-factor authentication, and data encryption to assist with managing cyber risks and identifying cyber threats. In addition, we engage a cybersecurity consultant to regularly assess cyber risks and threats and provide recommendations and plans to mitigate those risks.
We utilize third-party service providers for a variety of functions. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. We look for reliable and reputable service providers that maintain cybersecurity programs based on industry standards. Depending on the nature of the services provided and the sensitivity of information processed, our vendor management process may include contractually imposed obligations on the provider and reviewing the cybersecurity practices of such provider.
In 2021, we suffered a ransomware attack on our information technology systems. This incident did not have a material impact on our business, operations, or financial condition; however, as a result, we began work on certain information technology initiatives earlier than originally planned.
A security breach or other significant disruption involving our computer networks and related systems could cause substantial costs and other negative effects, including litigation, remediation costs, costs to deploy additional protection strategies, compromising of confidential information, and reputational damage adversely affecting investor confidence. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Item 1A. Risk Factors – “We face risks associated with cyber-attacks, cyber intrusions, or otherwise, which could pose a risk to our systems, networks, and services” and “Security breaches could compromise our information and expose us to liability, which would cause our business and reputation to suffer.” and “Security breaches could compromise our information and expose us to liability, which would cause our business and reputation to suffer.”
20

Table of Contents