HIGHWOODS PROPERTIES, INC. - (HIW)
10-K Filing Date: February 06, 2024
ITEM 1C. CYBERSECURITY
We face risks associated with security breaches through cyber attacks, cyber intrusions or otherwise, and other significant disruptions of information technology networks and related systems. See also “Item 1A. Risk Factors – Risks Related to our Operations – We face risks associated with security breaches through cyber attacks, cyber intrusions, ransomware or otherwise, as well as other significant disruptions of our information technology (“IT”) networks and related systems.” We have never experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. With the assistance of a third party technology consulting firm, we have adopted and implemented an approach to identify and mitigate cybersecurity risks. For example, we are in the process of adopting and implementing many of the voluntary practices recommended under the National Institute of Standards and Technology cybersecurity framework, which we believe is a best practice for U.S.-based real estate companies.
Management’s information technology steering committee, which is led by the chief information officer and includes all of our executive officers, is responsible for assessing and managing material risks from cybersecurity threats from our own information technology networks and systems we use that are owned by third party service providers. Ryan Hunt has served as our chief information officer since June 2021. Mr. Hunt joined us in 1997 and quickly transitioned his focus to technology. He began his technology career on the IT help desk, served in various other roles within the technology department and most recently served in the role of senior director of application development. Mr. Hunt earned his Bachelor of Science degree in Management Information Systems from North Carolina State University.
Under the direction of our chief information officer with oversight from management’s steering committee, the Company has implemented a cybersecurity incident response plan that sets forth a process for detecting and responding to cybersecurity incidents, determining their scope and risk, developing an appropriate response to mitigate and remediate the incident, communicating effectively to all stakeholders and participants and reducing the likelihood of similar future incidents. In the event of a real or perceived cybersecurity incident, the chief information officer would, as soon as practicable, inform management’s steering committee, the members of which would then collaborate with the chief information officer to manage material risks.
As part of our overall enterprise risk management processes and to better evaluate our cybersecurity risks, we have conducted a business impact analysis by leveraging our annual company-wide enterprise risk management assessment to understand the relationship between our critical business operations and our information technology systems. We partner with a third party service provider to assist us on a real-time basis with detecting advanced threats, streamline and collaborate on investigations and recommend actions to further strengthen our systems and, if and when necessary, respond to incidents. In addition, we regularly engage independent third parties to test our cybersecurity processes and systems through consulting, independent audits and penetration testing. We also have a cyber risk insurance policy designed to help us mitigate risk exposure by offsetting costs involved with recovery and remediation after a cybersecurity breach or similar event.
We regularly conduct cybersecurity training to ensure all employees are aware of cybersecurity risks and to enable them to take steps to mitigate such risks. For example, all employees are required to successfully complete a cybersecurity risk module and assessment on a quarterly basis. As part of this program, we also take reasonable steps to ensure any employee who may come into possession of confidential financial or health information has received appropriate cybersecurity awareness training and, if applicable, payment card industry (PCI) training.
The audit committee of the Company’s Board of Directors is responsible for overseeing management’s information technology steering committee as well as management’s risk assessment and risk management processes designed to monitor and control cybersecurity threats. Management’s steering committee, led by the Company’s chief information officer, regularly briefs the audit committee on cybersecurity matters. These briefings generally occur on a quarterly basis. In the event we experience a cybersecurity incident that could materially affect us, including our business strategy, results of operations or financial condition, the Company’s chief information officer and other members of management’s steering committee (which include executive officers who are also part of our disclosure committee) would review the incident with the audit committee to consider whether and to what extent disclosure is required under Item 1.05 of Form 8-K.
20