Piedmont Office Realty Trust, Inc. - (PDM)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threats alongside other company risks as part of our overall risk assessment process. In addition, we perform an external, specific cybersecurity risk assessment every eighteen months. Included in our management of cybersecurity risk is our annual review of our Incident Response Plan/Policy, involving employees from all responsibility levels of the company. Our Chief Financial and Administrative Officer has primary responsibility for overseeing our information systems and information technology resources, including risks from cybersecurity threats. To assist our Chief Financial and Administrative Officer in discharging these responsibilities, we have a standing management committee to address information technology and cybersecurity risk matters comprised of our Chief Financial and Administrative Officer, the principal of a third-party, managed security service provider (an “MSSP”), our Vice President of Risk Management, our Chief Accounting Officer, our Senior Vice President of Human Resources and certain other members of our information technology staff and property management. This committee meets on a quarterly basis, with additional meetings held as-needed throughout the year, to:

monitor emerging data protection laws and implement changes to our processes designed to comply with these laws;
identify and assess material risks from cybersecurity threats;
provide guidance on our cybersecurity strategy development and implementation;
ensure that regular risk assessments and appropriate mitigation strategies are in place;
ensure the performance of regular vulnerability and penetration testing and remediation of findings;
oversee the implementation and management of cybersecurity-related tools such as security information and event management systems; and
review relevant service organization controls reports for the MSSP that serves as our Security Operation Center; and
require training and security awareness programs for our employees.

Our Vice President of Risk Management monitors and tests these initiatives on a periodic basis. Additionally, our Chief Financial and Administrative Officer partners with the MSSP and our information technology staff throughout the organization to manage material risks from cybersecurity threats, as well as to provide managerial and operational support for our information systems and information technology resources on a daily basis.

26

Index to Financial Statements
We also maintain an incident response plan to coordinate the actions we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response plan is tested annually, with tabletop exercises to assess the validity of the plan and to make necessary modifications, as needed, on a bi-annual basis.

We utilize external risk advisory and accounting firms to perform an audit focusing on entity-level, application and information technology general computer controls annually, as well as the full cybersecurity risk assessment mentioned above. Audit results and the risk assessments are reviewed by our Chief Financial and Administrative Officer, the principal of the MSSP, and our Vice President of Risk Management. Any exceptions are addressed with a remediation plan and implemented with appropriate resources. Audit results, risk assessments and remediation plans are discussed with the Audit Committee of the board of directors, who has responsibility for cybersecurity risk oversight, each quarter until all points are fully resolved.

We also identify and oversee cybersecurity risk from third-party service providers through our vendor management policy, which requires increasing levels of due diligence and required insurance coverages in proportion to each provider's access to our information systems.

Although we have never experienced a material information security breach nor have we incurred any expenses related to such a breach, we take a proactive approach to managing information security risk. Our process for managing existing and new service providers evaluates the degree to which such service providers will interface with our systems. This process dictates minimum insurance requirements and increased security documentation and protocols as interaction with our systems increases. We also have an information security training and compliance program which includes cybersecurity updates, notices, reminders, and simulated cyber-attacks emailed to all employees bi-weekly and that all employees are required to participate in at least annually. Further, we have a documented business continuity plan that is updated and tested on an annual basis and we carry an information security risk insurance policy.

See "We face risks related to the occurrence of cyber incidents, or a deficiency in our cybersecurity, which could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results” included as part of the risk factors described in Item 1A of this Annual Report on Form 10-K for additional information on the potential impact any cybersecurity incident may have on our business, results of operations, financial condition and cash flows.

Cybersecurity Governance

The Audit Committee of the board of directors oversees cybersecurity risk and is comprised of three independent members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The chair of our Audit Committee holds a Certificate in Cybersecurity Oversight from the National Association of Corporate Directors and has previous work experience at a large retailer with point-of-sale cybersecurity exposure. The Audit Committee receives quarterly updates summarizing on-going information technology and cybersecurity initiatives from our Chief Financial and Administrative Officer and reviews the results of our annual risk assessment and regular cyber risk assessment upon completion. Any significant issues identified are reported to the Audit Committee of the board of directors on a quarterly basis.

As described above, our management team is responsible for the day-to-day assessment and management of material risks from cybersecurity threats through our Chief Financial and Administrative Officer, our standing management committee on information technology and cybersecurity risk matters and the MSSP. This group would be notified through our Incident Response Plan/Policy and appropriate actions undertaken in accordance with the plan document if a cyber attack were to occur.

Our Vice President of Risk Management is a Certificated Information Systems Auditor (CISA) and a Certified Internal Auditor (CIA) and holds a Certificate in Risk Management Assurance (CRMA). Personnel from the MSSP hold several certifications, including but not limited to: Certified Information Systems Security Professional ("CISSP"); ITIL Foundations; Fortinet Certified Network Security Administration and Professional; Microsoft Certified IT Professional, Technology Specialist, Solutions Associate; and Citrix Certified Administrator/Citrix Presentation Server 4.0. The external risk advisory and accounting firms that we use to perform our audits and assessments described above utilize personnel qualified as one or more of the following to perform our audits and assessments: Certified Information Systems Auditor (CISA), CISSP, Certified Information Security Manager (CISM), and Certified Information Technology Professional (CITP).

27

Index to Financial Statements