Prologis, Inc. - (PLD)

10-K Filing Date: February 13, 2024
ITEM 1C. Cybersecurity

Due to our reliance on digital technology and electronic communications to run our business, cybersecurity threats and incidents pose an ongoing and escalating risk to our internal and third-party provided information systems and data, reputation and shareholder value, results of operations and financial condition. Our Chief Technology Officer, who reports directly to our Chief Executive Officer, holds over 25 years of experience in information technology, specifically infrastructure, information security and fraud, and identity solutions at large global companies, and our Vice President of Information Technology (“IT”) Governance, who reports to our Chief Technology Officer, holds 20 years of experience in various information security roles. Together, our Chief Technology Officer and Vice President of IT Governance ("IT leadership") oversee and lead our information security program and our business strategy, financial planning and capital allocation around our cybersecurity risk management and governance practices. We also have an established Incident Response Team (“IRT”) to respond to and manage cybersecurity events. This team includes our IT leadership as well as senior leadership from our accounting, legal, corporate communications and risk management departments with subject-matter expertise and established tenure at Prologis in their respective areas. The IRT is tasked with taking appropriate action to safeguard the integrity of our information systems, data and network resources, investigate whether a breach occurred, define disclosures, communicate effectively with key audiences, including the Board as necessary, mitigate cybersecurity incident risks and provide a resolution through our

22


cybersecurity incident communication protocols. Additionally, on an annual basis the IRT is involved and engaged in security initiatives, including tabletop exercises facilitated both internally and externally, to stay relevant on current practices in the areas of cybersecurity.

The processes implemented by our IT leadership and IRT to oversee and identify cybersecurity risks are based on the Prologis Information Security Policy governed by the NIST Cybersecurity Framework. The framework focuses on five key categories of cybersecurity risk management and governance: (i) identify: develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities; (ii) protect: develop and implement appropriate safeguards to ensure delivery of critical services; (iii) detect: develop and implement appropriate activities to identify the occurrence of a cybersecurity event; (iv) respond: develop and implement appropriate activities to take actions regarding a detected cybersecurity incident; and (v) recover: develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or service that were impaired due to a cybersecurity incident. This framework is utilized within our organization as part of an integrated risk management program that involves participation from employees, to our Board and third-party service providers, with whom we have protocols in place to mitigate cybersecurity incident risks within our supply chain through the products and services we provide and use. Additionally, all employees and contractors are required to attend mandatory cybersecurity training on an annual basis.

 

Our IT leadership reports to the Board on an annual basis on cybersecurity matters and, as necessary, when incidents arise in accordance with our cybersecurity incident communication protocols. Our Board, specifically our Audit Committee, oversees cybersecurity risks and we believe contains the necessary expertise to perform those duties, including specific industry experience within information technology. Additionally, Prologis’ cybersecurity risk management practices are reviewed and benchmarked against its peers through regular participation in a third-party security benchmarking survey. Our IT infrastructure is externally audited as part of our Sarbanes-Oxley audit process and our controls include information security standards. We also maintain standalone cybersecurity insurance and strive to adhere to local cybersecurity regulations in all the countries we do business. We believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, and are not reasonably likely to materially affect Prologis, including its business strategy, results of operations or financial condition. Please refer to “Our business and operations could suffer in the event of system failures or cybersecurity attacks” under Item 1A. Risk Factors.