Seritage Growth Properties - (SRG)
10-K Filing Date: April 01, 2024
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing risk associated with cybersecurity threats. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such risks. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. As part of this process, we have elected to engage third-party managed service providers to maintain our network and to manage the monitoring, detection, mitigation, and prevention of cybersecurity threats. These service providers are responsible for managing our hosted services, all of the computer and computer-related hardware and software we use, and for managing our backup processes. Our primary managed service provider supplies management with weekly updates and activity reports related to network alerts, connectivity issues, and help desk tickets.
Our management team has taken additional steps to implement our cybersecurity risk management program. For example, we have implemented periodic management reviews of our controls related to provisioning of user access to certain third-party hosted applications that we use in connection with the business and risks posed by certain critical vendors; this includes reviewing System and Organizational Control audit reports of such vendors. We maintain cybersecurity insurance coverage intended to mitigate our financial exposure to certain cybersecurity threats, and we consult with external advisors regarding opportunities and enhancements to strengthen our cybersecurity processes and practices.
We are subject to risks from cybersecurity threats and incidents. As of December 31, 2023, we do not believe such risks have materially affected or are reasonably likely to materially affect the Company, including the Company’s business strategy, results of operations or financial condition. However, there can be no assurance that the Company will not be materially affected by such risks in the future. For additional information regarding risks from cybersecurity threats, refer to Item 1A, “Risk Factors”, in this Annual Report on Form 10-K.
- 23 -
Governance
Our Board of Directors (the “Board”) considers cybersecurity risk as part of its risk oversight function. In February 2024, the Board delegated to its Audit Committee oversight of cybersecurity and other information technology risks. Our Audit Committee oversees management’s implementation of our cybersecurity risk management program. Our Audit Committee will receive periodic reports from our Interim Chief Financial Officer or our Chief Legal Officer on our cybersecurity risks. In addition, our Interim Chief Financial Officer or our Chief Legal Officer will update our Audit Committee, as necessary, regarding any significant cybersecurity incidents impacting our information systems. Our entire Board will also receive briefings from our Interim Chief Financial Officer or Chief Legal Officer on our cybersecurity risk management program as part of our overall business risk updates.
Our management, represented by our Interim Chief Financial Officer, John Garilli, oversees the Company’s cybersecurity risk management program. We have elected to engage third-party providers to maintain our network defenses and to manage and assess cybersecurity risk management and strategy for the Company. Our third-party providers update Mr. Garilli and other members of our executive management team with any network issues on a weekly basis and make recommendations for security upgrades as needed. The Interim Chief Financial Officer or the Chief Legal Officer will update the Audit Committee quarterly, or more frequently in the case of a significant cybersecurity incident impacting our information systems.
- 24 -