ACADIA REALTY TRUST - (AKR)
10-K Filing Date: February 16, 2024
Governance
Cybersecurity is an integral part of the Board’s risk analysis and discussions with management. At least annually, the full Board is updated on the Company’s cybersecurity risks and risk mitigation strategy by our Vice President of Information Technology, who is responsible for management of our Information Technology program. The Board also receives ad hoc updates, as needed, about material changes to the Company’s cybersecurity program and/or the cybersecurity landscape, including briefings on major legislative and regulatory developments, from our Vice President of Information Technology and representatives from Legal and/or Risk Management, as applicable.
Our Vice President of Information Technology and Director of Risk Management regularly evaluate the Company’s cybersecurity risk profile and lead the development of strategies to mitigate risks and address cybersecurity issues that may arise, in consultation with members of our senior management team. Our Vice President of Information Technology and Director of Risk Management each have approximately 25 years of experience in their respective fields, and our Vice President of Information Technology holds certifications in cybersecurity from accredited information technology certification providers.
We have formal policies and procedures that address cybersecurity incident response and disaster recovery from interference with our critical applications. Our Cybersecurity Incident Response Plan provides a documented framework for responding to cybersecurity incidents in coordination across multiple departments. In the event of such an incident, our Cybersecurity Incident Response Team (“CIRT”), which is comprised of our Vice President of Information Technology, Director of Risk Management and representatives from Risk Management, Legal and Financial Reporting, would respond to such incident in accordance with our Cybersecurity Incident Response Plan. Any cybersecurity incident that meets certain criteria will be communicated by the CIRT to senior management and the Board in a timely manner, and will be evaluated by our Executive Management Team, comprised of certain executives, to assess the impact of the incident on the Company, considering qualitative and quantitative factors. In conducting this assessment and responding to an incident, the CIRT and Executive Management Team may utilize the services of third-party consultants.
Cybersecurity user awareness training is mandatory for all new hires and for existing employees on an annual basis to help protect our employees and the Company against cybersecurity threats. This annual training is customized to address specific cybersecurity challenges and scenarios that we may face within the real estate investment industry. Novel cybersecurity threats to the Company that are identified by our Information Technology team are communicated to all employees by email, as needed, in an effort to promote awareness and protect the Company from cyber attacks.
Risk Management and Strategy
We maintain an Enterprise Risk Management (“ERM”) program to identify and respond to the most critical risks to our business, including cybersecurity risks. Risks and vulnerabilities from our increased reliance on information technology systems are assessed at least annually as part of our ERM program. In response to such assessments, controls are embedded into our processes and technology by our Vice President of Information Technology and Director of Risk Management to seek to mitigate risks to our systems and processes from cybersecurity incidents. We continuously evaluate if we have adequate controls in place utilizing a risk-based approach that aligns with the National Institute of Standards and Technology Cybersecurity Framework.
Our daily operations are monitored by a dedicated information technology team. We conduct monitoring of our computer networks, and have implemented systems and processes intended to secure our information technology systems and prevent unauthorized access to or loss of sensitive data, including through the use of encryption and authentication technologies. We assess the adequacy of our cybersecurity measures through annual penetration testing of our computer networks by external consultants, and we have performed tabletop simulations and drills at both a technical and management level around scenarios involving the loss of critical information and technology systems.
We maintain a risk-based approach to evaluating and overseeing cybersecurity risks presented by our third-party vendors. Third-party vendors that meet certain criteria, such as owning and operating any information technology networks and systems on which the Company relies, are evaluated to assess their performance across several domains, including data security and operations management. We seek to maintain effective communication with our third-party vendors to facilitate timely notification of cybersecurity incidents that might impact the Company.
Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, like other companies in our industry, we could, from time to time, experience threats and security incidents related to our and our third-party vendors’ information systems. For more information, please see Item 1A. Risk Factors - Increased Information Technology (“IT”) security threats and more sophisticated computer crime could pose a risk to our systems, networks, and services.
30