ALEXANDRIA REAL ESTATE EQUITIES, INC. - (ARE)

10-K Filing Date: January 29, 2024
ITEM 1C. CYBERSECURITY

Risk management and strategy

Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems, and those that we offer to our tenants are necessary for the operation of our business. We use these systems, among others, to manage our tenant and vendor relationships, for internal communications, for accounting to operate record-keeping function, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data.

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and tenant data (“Information Systems and Data”).

We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry’s risk profile, utilizing internal and external audits, and conducting threat and vulnerability assessments.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program, employee training, and penetration testing.

We work with third parties from time to time that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms.

To operate our business, we utilize certain third-party service providers to perform a variety of functions. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement.

We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this annual report on Form 10-K, including “If our information technology networks or data, or those of third parties upon which we rely, are or were disrupted or otherwise compromised, we could experience costly remediation or other expenses, liability under federal and state laws, and litigation and investigations, any of which could result in substantial reputational damage and materially and adversely affect our business, financial condition, results of operations, cash flows, and the market price of our common stock”, for additional discussion about cybersecurity-related risks.

Governance

Our Board of Directors holds oversight responsibility over the Company’s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. The Audit Committee of the Board of Directors (the “Audit Committee”) oversees the management of systemic risks, including cybersecurity, in accordance with its charter. The Audit Committee engages in regular discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include the Company’s risk assessment and risk management policies.

Our management, represented by our Chief Technology Officer, Greg C. Thomas, and our Chief Financial Officer and Treasurer, Marc E. Binda, leads our cybersecurity risk assessment and management processes and oversees their implementation and maintenance.
51



Greg C. Thomas is an experienced information technology professional in our information technology department and has served as Chief Technology Officer since 2018. He works with the Company’s internal information technology department and external partners to monitor and improve our cybersecurity capabilities. Mr. Thomas possesses a proven real estate industry track record of guiding organizations through strategic technology, organizational, risk mitigation, process improvement initiatives, and digital transformations. He also possesses extensive experience in technology and cybersecurity, gained over his career spanning more than 30 years, including as Chief Information Officer at two other large real estate firms, as well as in leadership roles within the real estate industry technology practices of Ernst & Young LLP and Deloitte LLP. He earned Bachelor of Science degrees in Systems Analysis and Finance from Miami University.

Marc E. Binda, CPA, is an experienced risk management professional in our finance and risk management function and has served as Chief Financial Officer since September 2023 and as Treasurer since April 2018. Mr. Binda previously served as Executive Vice President – Finance and Treasurer from June 2019 to September 2023, as Senior Vice President – Finance and Treasurer from April 2018 to June 2019, as Senior Vice President – Finance from April 2012 to April 2018, and in other capacities from January 2005 to April 2012. Mr. Binda currently oversees key functions for the Company’s accounting, finance, and treasury strategies, including risk management. In addition, Mr. Binda leads the Company’s cybersecurity risk oversight and the development and enhancement of internal controls designed to prevent, detect, address, and mitigate the risk of cyber incidents.

Management, in coordination with our information technology department, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters.

Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Management, including the Chief Technology Officer and Chief Financial Officer and Treasurer, serves on the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response processes include reporting to the Audit Committee for certain cybersecurity incidents. The Audit Committee holds quarterly meetings and receives periodic reports from management, including our Chief Technology Officer and Chief Financial Officer and Treasurer, concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them.
52