Brixmor Property Group Inc. - (BRX)
10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity
Given the critical importance of cybersecurity, including data privacy, we believe we have developed a comprehensive cybersecurity program, supported by robust risk management and oversight procedures. We are committed to implementing leading data protection standards and have a comprehensive set of written policies and standards that take into account the guidance of industry-standard cybersecurity frameworks.
Management and Board Oversight
We have dedicated cybersecurity resources led by our Chief Information Officer ("CIO"), who regularly provides reports to our executive officers, including the CEO and CFO. Our CIO has over 20 years of experience in the cybersecurity and IT fields and holds multiple degrees, including a Bachelor of Science in Information Science and a Master of Business Administration. Additionally, our CIO is a Certified Information Security Manager.
We have developed a cybersecurity incident response plan ("CSIRP") for cybersecurity incidents that may jeopardize the confidentiality, integrity, or availability of our IT systems. Our CSIRP guides the internal response to cybersecurity incidents, following a process that generally aligns with the industry-standard cybersecurity frameworks. Pursuant to the CSIRP and its escalation protocols, we engage the incident response team ("IRT"), which includes designated personnel responsible for: (1) analyzing the severity of the incident and associated threat; (2) notifying management of the threat; (3) containing the threat; (4) eradicating the threat; (5) restoring data and access to systems; (6) working with management to determine the reporting and disclosure obligations associated with the incident; and (7) performing post-incident analysis and improvements. The IRT is led by an incident response coordinator, which in the event of a cybersecurity incident would generally be the CIO, and includes members of our IT resources, risk management, legal, communications, finance, and accounting teams, in addition to any other necessary personnel depending on the particular facts and circumstances of the incident. When a cybersecurity incident is detected, the incident response coordinator notifies relevant members of management, as appropriate and consistent with the escalation protocols of the CSIRP, such as the CEO, CFO, and General Counsel, and provides an assessment of the incident and containment strategy, if applicable.
We consider cybersecurity as part of our broader consideration of business strategy and risk management. Our board of directors has delegated to the Audit Committee the responsibility of overseeing our risk management program, including risk assessment, risk management, and risk mitigation policies and programs. A key part of this responsibility is overseeing the cybersecurity program. The Audit Committee receives quarterly updates from our CIO with respect to the cybersecurity program, including current threat levels and ongoing program enhancements. The Audit Committee oversees our compliance with the industry-standard cybersecurity frameworks, our cybersecurity insurance coverage, cybersecurity-related internal controls, penetration testing, the CSIRP, business continuity plans, and threat assessments. The Audit Committee also periodically evaluates our cyber strategy to ensure its effectiveness, including benchmarking against our peers.
Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats
Our cybersecurity program has four components: (1) preparation and prevention; (2) detection and analysis; (3) incident response including containment, eradication, recovery, and reporting; and (4) post-incident analysis and program enhancements.
Preparation and Prevention
We utilize a variety of tools, processes, software, and hardware that are managed and monitored by our IT resources and third-party vendors, as applicable, to prevent and prepare for cybersecurity threats. We conduct regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and we implement business continuity, contingency, and recovery plans to mitigate the impact of an incident. As part of these efforts, we engage a third party to conduct penetration testing and an external review of our vulnerabilities. We continue to strengthen access management mechanisms including broad adoption of multi-factor authentication, geolocation-based blocking, and network segmentation. To support our preparedness, we perform tabletop exercises at least once a year to test our CSIRP.
15
We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is comprehensive employee training to recognize and respond to cybersecurity threats. All new hires receive mandatory privacy and information security training. Employees must also complete mandatory ongoing annual cybersecurity and data trainings, which are supplemented throughout the year by regular phishing and other cyber-related testing. Additionally, we conduct specialized training for our high-risk employees on an annual basis and specialized training for employees with access to certain sensitive information systems. These trainings and tests are tracked throughout the year for each employee and are directly tied to their overall compensation.
We recognize that our third-party vendors can be subject to cybersecurity incidents which may impact us. To mitigate third-party risk, vendor access to network resources is reviewed, authorized, and monitored by our IT resources, including requirements for our third-party vendors’ cybersecurity, estimated termination dates for network access, and regular reviews of all third-party vendor accounts and after access is granted, it is managed through various security tools. Third-party IT vendors are also subject to additional diligence such as questionnaires, inquiries, and relevant certifications.
Detection and Analysis
Cybersecurity incidents may be detected through a variety of means and indicators, which may include, but are not limited to, alerts from customers, employees, vendors, service providers, other third parties, and/or automated event-detection notifications. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response coordinator follows the procedures pursuant to the CSIRP to investigate the potential incident, including classifying the nature and severity of the event (e.g. malware, ransomware, service interruption, denial of service, distributed denial of service, personal data breach, intellectual property breach, theft, or fraud) and sensitivity of any compromised data.
Containment, Eradication, Recovery, and Reporting
With every cybersecurity incident, the highest priority for the IRT is to contain the cybersecurity incident as quickly as possible. A cybersecurity incident is considered contained when the attacker’s ability to affect the network resources has been effectively controlled or stopped, the affected system(s) have been identified, and compromised data, memory image, and disks have been collected for analysis. The IRT is responsible for deciding on a containment strategy to respond to the cybersecurity incident, coordinating resources, and communicating to management with subsequent notification to the Audit Committee, if warranted.
The IRT also directs and coordinates eradication and recovery efforts. Eradication and recovery activities depend on the nature of the cybersecurity incident, which may include, but are not limited to, rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, increased network monitoring or logging to identify recurring attacks, or employee re-training.
Containment, eradication, and recovery may be aided by third-party vendors or investigators. The incident response coordinator, in consultation with the IRT and management, will engage all third parties involved in the incident.
Our CSIRP provides clear communication protocols, including with respect to members of management, including the members of the IRT, CEO, CFO, CIO, General Counsel, Audit Committee, and external counsel, particularly with respect to legal obligations to report the incident to tenants, regulators, and law enforcement and, if applicable, our SEC reporting obligations.
Post-Incident Activity
After recovery, the IRT gathers and preserves all incident-related documentation and conducts a post-incident analysis to identify and implement enhancements to the cybersecurity program that can mitigate the risk and/or severity of future incidents. The results of these reviews are shared with management and the Audit Committee. The incident response coordinator typically oversees the preparation of the formal incident report, its distribution, and the implementation of any enhancements identified through these reviews.
Cybersecurity Risks
As of December 31, 2023, we have not had any material incidences involving cybersecurity attacks. However, we face risks associated with security breaches, whether through cyber-attacks or cyber-intrusions over the Internet,
16
ransomware and other forms of malware, computer viruses, attachments to emails, phishing attempts, or other scams. Although we make efforts to maintain the security and integrity of our networks and systems including the proprietary, confidential, and personal information that resides on or is transmitted through them, and we have implemented various cybersecurity policies and procedures to manage the risk of a security incident or disruption. However, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See “We and our tenants face risks relating to cybersecurity attacks that could cause the loss of confidential information or other business disruptions” in Item 1A. "Risk Factors" for further information relating to cybersecurity risks.
17