REGENCY CENTERS CORP - (REG)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

The Company employs a tiered structure of management and oversight for cybersecurity, characterized by distinct layers of responsibility and decision making, which includes operation staff, management, and senior management and board-level governance. As discussed in more detail below under “Cybersecurity Governance”, this involves management responsibility through a specialized Cyber Risk Committee (the “CRC”) and oversight of that committee by a group of the most senior leaders of the Company, which comprise the Company’s Executive Committee. At the Company’s Board of Directors (the “Board”) level, the Audit Committee oversees our cybersecurity risk management program.

Our strategy for managing cybersecurity risk is integrated into the Company’s overall risk management program and structure, as depicted in the Corporate Governance section of our Proxy under “Risk Oversight”.

The Company, through its Chief Information Security Officer (“CISO”), other Company employees experienced in information network security, and the use of third-party expertise, references various recognized cybersecurity frameworks. These frameworks are used to benchmark and tailor the Company’s cybersecurity strategies and program to our risk profile and specific operational needs and goals. Our core cybersecurity strategy focuses on five key pillars: identification, protection, detection, response, and recovery, each tailored to meet the specific challenges and needs of our business. The primary goal of this strategy is to proactively safeguard the confidentiality, security, and availability of the information we collect and store. This proactive approach includes identifying, preventing, and mitigating cybersecurity threats, as well as preparing to respond to cybersecurity incidents quickly and efficiently to minimize their impact. Under the leadership of our CISO and CRC, we are committed to a continuous evaluation and enhancement of our cybersecurity practices to facilitate adaptation to the constantly evolving landscape of cybersecurity threats.

We have adopted a risk-based strategy to manage cybersecurity risks associated with third parties. We prioritize our cybersecurity efforts relating to third parties based on the likelihood and potential impact of cybersecurity threats. This includes reviewing the security protocols of key vendors, service providers, and external users of our systems.

The CRC engages third-party expertise from time to time as it deems necessary or appropriate to test our cybersecurity defenses, to evaluate the cybersecurity programs of current and potential vendors and service providers, and to seek specialized legal advice regarding cybersecurity.

Since at least January 1, 2021, we are not aware of any cybersecurity incidents that have materially affected the Company. Based on our current understanding of the cyber risk environment and our preparedness level, we do not believe it to be reasonably likely in the near term that a cybersecurity threat will materially impact our business strategy, results of operations or financial condition.

 

22


 

Cybersecurity Governance

The Audit Committee of the Board is charged with overseeing our cybersecurity risk management program. The CRC Chair and the CISO provide the Audit Committee with quarterly updates. These updates cover the overall status of the Company’s cybersecurity program, as well as developments and potential new risks and trends. In the event of a significant cybersecurity threat or incident, the CRC would escalate communication frequency and intensity with the Audit Committee, Board, and the Company’s Executive Committee (discussed below).

As designated by the Company’s Executive Committee and the Audit Committee, our CRC leads Regency's cybersecurity risk management program. This includes risk identification, assessment, management, prevention and mitigation, as well as securing necessary resources and reporting on cybersecurity preparedness to the Executive Committee (which is currently comprised of the CEO, CFO, and several of the Company’s other senior leaders) and the Audit Committee.

CRC membership, which is subject to change from time to time, includes management leadership possessing a diverse range of education, experience and expertise, and is currently comprised of Company’s CISO, chief accounting officer, head of internal audit, general counsel and chief compliance officer, head of litigation, head of human resources, head of IT operations and the manager of network security. The collective experience of this committee encompasses areas such as IT, network security, change and incident management, public company governance, accounting, financial controls, insurance, risk management, communications, human capital, and legal matters including securities, privacy and technology contracting.

 

 

23