COUSINS PROPERTIES INC 10-K Cybersecurity GRC - 2024-02-07

Page last updated on April 11, 2024

COUSINS PROPERTIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-07 16:17:39 EST.

Filings

10-K filed on 2024-02-07

COUSINS PROPERTIES INC filed an 10-K at 2024-02-07 16:17:39 EST
Accession Number: 0000025232-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The day-to-day management of cybersecurity is the responsibility of our Senior Vice President, Chief Information Officer, who oversees our Information Technology (“IT”) team. The Chief Information Officer reports directly to the Chief Financial Officer. Our Senior Vice President, Chief Information Officer (“CIO”) has served in this role for over seven years, and has more than 20 years of experience in the aggregate in various roles involving managing information security, technology infrastructure, IT operations, and developing cybersecurity strategy. Together with his IT team and external consultants, our CIO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through the management of and participation in the cybersecurity risk management processes described below, including the operation of our cybersecurity incident response plan. For many years, we have strategically invested in our cybersecurity programs across the organization, and we have developed and refined our processes for detecting, evaluating, and responding to potential cybersecurity incidents. In particular, we focus on our networks, applications, data, employees, and vendors with a comprehensive cybersecurity plan, informed by nationally recognized frameworks which we use to monitor and improve our program as compared to the framework controls. In addition to our ongoing monitoring, we engage a third-party advisor to perform cybersecurity risk assessments of our information technology security processes and implemented technologies. We have segmented our building networks so that they are separate from our corporate network, and using third party services, we monitor, scan, assess, audit, and remediate identified vulnerabilities across those networks, as appropriate. Furthermore, recognizing that our employees are an essential line of defense in cybersecurity, we engage with our employees in a training and testing program through which we provide education on the risk of potential cybersecurity incidents, methods for identification of such incidents and appropriate responses. Our policies and processes are informed by industry standard practices regarding application security, access management, device protection, network management, and data loss prevention and recovery, and we also maintain a business continuity and disaster recovery plan (including a cybersecurity incident response plan) to reduce the risk and impact of business interruptions, across a range of disaster scenarios, including potential impacts from a cybersecurity incident. Our business continuity and disaster recovery plan and our cybersecurity incident response plan are reviewed at least annually, and we also periodically conduct tabletop exercises that include the CIO and key members of management. Our cybersecurity incident response plan includes retention of external experts for prompt assistance following discovery of any material incident. This cybersecurity incident response plan is part of our ongoing cybersecurity vulnerability management, and we endeavor to maintain appropriate controls to identify, monitor, analyze and address potential cybersecurity incidents, including potential unauthorized access to our networks and applications, along with detection of potential unusual activity within our networks or applications. Based on the context and details of the potential cybersecurity incident, the incident response plan includes prompt review by one or more members of the IT Team, with appropriate responses deployed as promptly as is practicable under the circumstances. Additionally, the CIO receives reports on potential cybersecurity incidents. As part of overall enterprise risk management, additional reporting of potential cybersecurity incidents is also provided to our General Counsel, Chief Accounting Officer, and Chief Financial Officer, and the Audit Committee or the full Board, as appropriate. Our Board of Directors provides oversight of risks from cybersecurity threats, in coordination with our management team and the Audit Committee of the Board. Our Board relies on management to bring significant matters impacting the Company to its attention, including with respect to material risks from cybersecurity threats. Our CIO reports on cybersecurity strategy, status of cybersecurity risk control efforts, and third-party cybersecurity risk assessments of our information technology security processes and implemented technologies to the General Counsel, Chief Accounting Officer, Chief Financial Officer, Chief Executive Officer, and our Audit Committee. Our full Board has access to these Audit Committee presentations, including any provided materials. In the event of any material cybersecurity incidents, these presentations would also include information regarding those incidents, including status of mitigation and remediation. Our Audit Committee provides an additional layer of cybersecurity oversight and is responsible for discussing cybersecurity concerns (including data privacy risk management) and the steps management has taken to monitor and control such exposures with management. As part of this oversight, the Audit Committee reviews the results of a biannual risk assessment designed to identify and analyze risks to achieving the Company s business objectives, including material risks from cybersecurity threats. The results of the biannual risk assessment are discussed with management and used to develop the Company s internal audit plan. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected nor are they reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. For a disclosure of our cybersecurity risks, Risk Factors in Part I, Item 1A. 16 Table of Contents

Company Information