Phillips Edison & Company, Inc. - (PECO)

10-K Filing Date: February 12, 2024
ITEM 1C. CYBERSECURITY
PECO’s cybersecurity program is generally based on the National Institute of Standards and Technology cybersecurity framework (“NIST CSF”) with the intention of preventing, identifying, detecting, and mitigating cybersecurity risks. This does not imply that we meet or comply with any particular technical standards, specifications, frameworks, or requirements including the NIST CSF, only that we use the NIST CSF as a guide. Our program focuses on people, processes, and technologies and includes training of associates, periodic workforce testing, and the deployment and monitoring of technical security solutions and controls.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Our management team, including the Chief Information Officer (“CIO”), is responsible for identifying and managing our material risks from cybersecurity threats. The CIO has primary responsibility for leading our overall cybersecurity risk management program and supervises both the PECO cybersecurity team and our retained external cybersecurity consultants. The management team, led by the CIO and cybersecurity team, stay informed about cybersecurity risk including prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the PECO environment. The CIO works closely with members of PECO's cybersecurity team, who have years of experience working in cybersecurity, possessing industry certifications such as Certified Information Systems Security Professional (“CISSP”) and Security+, and pursuing advanced degrees and studies in the field. Cybersecurity team members participate in recurring cybersecurity team meetings with the CIO and provide monthly executive leadership updates. The Board oversees our cybersecurity program and is periodically briefed by management, including the CIO, on cybersecurity risks and initiatives. In addition, management updates the Board as necessary regarding any significant cybersecurity incidents.
The cybersecurity team delivers cybersecurity training to associates, including security videos and informational tips, new hire training, out-of-band cybersecurity alerts, and simulated phishing campaigns with teachable moments and focused training, all designed to provide security specific knowledge to our associates. Positive reinforcement is utilized and encourages associates’ participation, in addition to required periodic training. The PECO cybersecurity team participates in cybersecurity training, activities, and events to stay current with the evolution of security threats, security solutions, best practices, and the risks facing PECO.
At PECO, we are committed to protecting the confidentiality and integrity of our data and systems. Among other things, our key contracts contain requirements that counterparties maintain standards of data security and privacy compliance.
PECO maintains, internally publishes, and annually reviews its cybersecurity policies and procedures, which includes an incident response plan. Additionally, PECO engages with external cybersecurity experts to conduct annual penetration testing, provide monitoring of the environment, conduct tabletop exercises, and for dedicated incident response and advanced forensics capabilities. In addition to internal audits and external reviews, assessments have included the NIST CSF, cybersecurity maturity assessment, and Center for Internet Security Benchmarks to identify opportunities for enhancement.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our financial results and business operations. See “Item 1A. Risk Factors – Risks Related to Business Continuity”.


PHILLIPS EDISON & COMPANY
DECEMBER 31, 2023 FORM 10-K
22