Douglas Emmett Inc - (DEI)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We are developing a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information.

Our program is based on frameworks provided by the Center for Internet Security Controls. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS Controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas.

Our cybersecurity risk management program includes among other things:
a.Risk assessments designed to help identify significant cybersecurity risks to our critical systems, information and services;
b.A security team principally responsible for managing (1) our cybersecurity risk assessment process, (2) our security controls, and (3) our response to cybersecurity incidents;
c.The use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;
d.An incident response plan with procedures for responding to cybersecurity incidents;
e.Cybersecurity awareness training of our employees, and senior management; and
f.A third-party risk management process for service providers, suppliers and vendors.

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information.

31


We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations or financial condition. We face ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors in Item 1A."

Governance

Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to our Audit Committee (Committee) oversight of cybersecurity and other information technology risks. The Committee receives periodic reports from management on our cybersecurity risks. In addition, management updates the Committee as necessary, regarding any significant cybersecurity incidents.

The Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cybersecurity risk management program. Board members receive presentations on cybersecurity topics from our Chief Information Officer (CIO), internal security staff, or external experts as part of the Board’s continuing education on topics that impact public companies.

Our management team, led by our CIO, is responsible for assessing and managing our significant risks from cyber security threats. The team has primary responsibility for our overall cybersecurity risk management program. Our management team’s experience includes multiple team members with 56 collective years of relevant experience with Douglas Emmett, Inc. The team has extensive knowledge of the technologies and applications addressed by the cybersecurity risk management program.

Our CIO supports the management team in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources; and alerts and reports produced by security tools deployed in the IT environment.

































32