AGREE REALTY CORP - (ADC)
10-K Filing Date: February 13, 2024
Risk Management and Strategy
Managing Material Risks & Integrated Risk Management
We have a comprehensive and systematic cybersecurity risk assessment program, which covers the identification, analysis, evaluation, and management of cybersecurity risks. The program follows a risk-based approach, which prioritizes the cybersecurity risks according to their likelihood and impact and allocates the appropriate resources and actions to mitigate these risks and leverages the National Institute of Standards and Technology (NIST) framework.
22
The program is cross-functional involving the participation and input of internal stakeholders, third-party consultants and board oversight. The program is reviewed and updated on a monthly basis, or whenever there is a significant change in our environment, operations, or objectives.
Engagement and Oversight of Third-parties
We have contracted a reputable, global third-party external Security Operations Center (“SOC”) to ensure that cybersecurity processes, tools, and monitoring are operating continuously. The SOC service provides a holistic view of our security landscape using a cloud-native Security Incident & Event Management platform, removing security siloes to gain actionable insights and providing continuous 24/7 detect and response services, as well as proactively identifying threats to prevent security disruptions.
We engage the SOC on a regular basis to conduct external audits and assessments of our cybersecurity posture and performance. The SOC provides independent and objective feedback and recommendations on how to improve our cybersecurity strategy, policies, processes, and controls. The SOC also assists the Company in identifying and prioritizing the most critical and emerging cybersecurity risks and threats, and to align our cybersecurity initiatives with the best practices and standards in the industry.
We also have a robust and rigorous oversight process for managing cybersecurity risks related to our third-party service providers. The process includes,
● | conducting due diligence and background checks on the potential service providers, |
● | verifying their cybersecurity credentials, capabilities, and track record, |
● | establishing clear and specific contractual terms and conditions regarding the Company’s cybersecurity expectations, obligations, and the responsibilities of the service providers, and |
● | monitoring and auditing the service providers’ performance, compliance, reporting and escalation procedures for any cybersecurity issues or incidents identified. |
Risks from Cybersecurity Threats
While we face a variety of cybersecurity risks, such as phishing attempts, ransomware attacks, and unauthorized access attempts, such risks have not materially affected us to date, including our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see “Item 1A – Risk Factors - We face risks relating to information technology and cybersecurity attacks, loss of confidential information and other business disruptions.”
Governance
Board of Directors’ Oversight
Our board of directors takes an active and informed role in our risk management policies and strategies. Our executive officers, which are responsible for our day-to-day risk management practices, present to the board of directors on the material risks to our Company, including risks related to information technology and cybersecurity.
The audit committee has formal oversight responsibility for cybersecurity and is responsible for reviewing the Company’s policies and procedures with respect to cybersecurity risk assessment and risk management. As part of the board of directors and audit committee’s oversight, the Chief Information Officer (“CIO”) provides quarterly updates to the audit committee with respect to cybersecurity incidents, mitigation, and management.
23
Management’s Role Managing Risk
Our CIO is responsible for developing and overseeing matters related to cybersecurity and serves as the Company’s Chief Information Security Officer. The CIO reports directly to the Chief Operating Officer, who is accountable for the overall information technology and security strategy and governance of the Company.
We have a comprehensive and continuous cybersecurity training program for our employees, which aims to raise their awareness and knowledge of cybersecurity threats and challenges, and to enhance their skills and competencies in preventing and responding to the cybersecurity incidents. The program covers the Company’s cybersecurity policies, guidelines, cybersecurity best practice guidelines, cybersecurity scenarios and simulations.
In connection with improving the management of cybersecurity risk, the Company has:
● | audited our systems with the help of information security consultants; |
● | completed ransomware simulations and enhanced our Disaster Recovery and Business Continuity Plan to reflect lessons learned; |
● | conducted recovery simulation of our proprietary database to determine restoration timing; |
● | conducted penetration testing and remediated all issues identified; and |
● | enhanced e-mail filtering software to limit the possibility of phishing or ransomware attacks. |
Monitor Cybersecurity Incidents
We have a well-defined and tested cybersecurity incident response plan, which outlines the roles and responsibilities, procedures and protocols, tools and resources, and communication and escalation channels that will be activated and implemented in the event of a cybersecurity incident. The plan aims to detect and contain the incident, analyze and assess its nature, scope, and severity, and restore and resume the normal operations and functions of the Company.