Paramount Group, Inc. - (PGRE)
10-K Filing Date: February 14, 2024
Governance Related to Cybersecurity Risks
Our board of directors is responsible for overseeing the Company’s risk management process. Our board of directors focuses on our general risk management strategy and the most significant risks facing the Company, and works to ensure that appropriate risk mitigation strategies are implemented by management. Our board of directors also is apprised of particular risk management matters in connection with its general oversight and approval of corporate matters.
Our board of directors has delegated oversight of the Company’s risk management process to the Audit Committee of our board of directors (the “Audit Committee”). Among its duties, the Audit Committee reviews with management the Company’s policies with respect to risk assessment and management of risks that may be material to us, including cybersecurity risk management. The Audit Committee receives, at a minimum, quarterly reports about legal and compliance matters, which can include reporting on cybersecurity incidents occurring or threats that have been thwarted or are being monitored during the prior period, as reported internally by the Chief Information Technology Officer (“CITO”).
The CITO, who has served in this role for over eight years, regularly reports cybersecurity updates to our Chief Operating Officer who, in his dual role as Chief Financial Officer, is our primary liaison with the Audit Committee. To inform about these updates and help guide cybersecurity related activities across our organization, the CITO has assembled a cybersecurity focus group and steering committee that meets on a quarterly basis and is made up of experienced representatives from various of our cybersecurity risk management consultants, external network security experts and cloud storage providers. These meetings are chaired by the CITO and include discussion of our cybersecurity needs, taking into account the latest industry trends.
On an annual basis, the CITO presents to the Audit Committee a detailed overview of our IT department’s operations, including staffing and risks inherent in this functional area in order to apprise the Audit Committee, among other things, of our cybersecurity risks, how they arise throughout our business and what management’s mitigation strategies are. The Audit Committee periodically engages third-party specialists to perform maturity assessments of our cybersecurity program. The Audit Committee reports on these matters to our board of directors as needed. In addition, the CITO periodically presents directly to our board of directors on our cybersecurity program.
Cyber Risk Management and Strategy
We face risks associated with security breaches through cyber-attacks, cyber intrusions or otherwise, as well as other significant disruptions of our IT networks and related systems. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our data and systems. For more information about the cybersecurity risks we face, see Item 1A, Risk Factors. To help manage these risks, we have implemented and maintain a cybersecurity risk management program that includes processes for the identification, assessment, and treatment of cybersecurity risks. These assessments are aligned with industry standards and leading practices, and provide a comparison based on practices at comparable organizations and recommendations for management to consider.
In addition to these external assessments, compliance readiness is assessed at a minimum annually by our CITO, in the form of penetration testing and vulnerability assessments. This program extends to a review of the cybersecurity measures in place at the properties that we own as well as our corporate headquarters, and selected senior managers also have participated in a tabletop exercise curated by our external security consultant to test and improve our incident response planning. We also maintain processes around third-party vendor risk management, such as the submission of vendor questionnaires to critical vendors and the inclusion of contractual security requirements as appropriate.
37