AGREE REALTY CORP 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

AGREE REALTY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 16:08:48 EST.

Filings

10-K filed on 2024-02-13

AGREE REALTY CORP filed an 10-K at 2024-02-13 16:08:48 EST
Accession Number: 0001558370-24-001056

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Managing Material Risks & Integrated Risk Management We have a comprehensive and systematic cybersecurity risk assessment program, which covers the identification, analysis, evaluation, and management of cybersecurity risks. The program follows a risk-based approach, which prioritizes the cybersecurity risks according to their likelihood and impact and allocates the appropriate resources and actions to mitigate these risks and leverages the National Institute of Standards and Technology (NIST) framework. 22 Table of Contents The program is cross-functional involving the participation and input of internal stakeholders, third-party consultants and board oversight. The program is reviewed and updated on a monthly basis, or whenever there is a significant change in our environment, operations, or objectives. Engagement and Oversight of Third-parties We have contracted a reputable, global third-party external Security Operations Center ( SOC ) to ensure that cybersecurity processes, tools, and monitoring are operating continuously. The SOC service provides a holistic view of our security landscape using a cloud-native Security Incident & Event Management platform, removing security siloes to gain actionable insights and providing continuous 24/7 detect and response services, as well as proactively identifying threats to prevent security disruptions. We engage the SOC on a regular basis to conduct external audits and assessments of our cybersecurity posture and performance. The SOC provides independent and objective feedback and recommendations on how to improve our cybersecurity strategy, policies, processes, and controls. The SOC also assists the Company in identifying and prioritizing the most critical and emerging cybersecurity risks and threats, and to align our cybersecurity initiatives with the best practices and standards in the industry. We also have a robust and rigorous oversight process for managing cybersecurity risks related to our third-party service providers. The process includes, conducting due diligence and background checks on the potential service providers, verifying their cybersecurity credentials, capabilities, and track record, establishing clear and specific contractual terms and conditions regarding the Company s cybersecurity expectations, obligations, and the responsibilities of the service providers, and monitoring and auditing the service providers performance, compliance, reporting and escalation procedures for any cybersecurity issues or incidents identified. Risks from Cybersecurity Threats While we face a variety of cybersecurity risks, such as phishing attempts, ransomware attacks, and unauthorized access attempts, such risks have not materially affected us to date, including our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see Item 1A Risk Factors - We face risks relating to information technology and cybersecurity attacks, loss of confidential information and other business disruptions. Governance Board of Directors Oversight Our board of directors takes an active and informed role in our risk management policies and strategies. Our executive officers, which are responsible for our day-to-day risk management practices, present to the board of directors on the material risks to our Company, including risks related to information technology and cybersecurity. The audit committee has formal oversight responsibility for cybersecurity and is responsible for reviewing the Company s policies and procedures with respect to cybersecurity risk assessment and risk management. As part of the board of directors and audit committee s oversight, the Chief Information Officer ( CIO ) provides quarterly updates to the audit committee with respect to cybersecurity incidents, mitigation, and management. 23 Table of Contents Management s Role Managing Risk Our CIO is responsible for developing and overseeing matters related to cybersecurity and serves as the Company s Chief Information Security Officer. The CIO reports directly to the Chief Operating Officer, who is accountable for the overall information technology and security strategy and governance of the Company. We have a comprehensive and continuous cybersecurity training program for our employees, which aims to raise their awareness and knowledge of cybersecurity threats and challenges, and to enhance their skills and competencies in preventing and responding to the cybersecurity incidents. The program covers the Company s cybersecurity policies, guidelines, cybersecurity best practice guidelines, cybersecurity scenarios and simulations. In connection with improving the management of cybersecurity risk, the Company has: audited our systems with the help of information security consultants; completed ransomware simulations and enhanced our Disaster Recovery and Business Continuity Plan to reflect lessons learned; conducted recovery simulation of our proprietary database to determine restoration timing; conducted penetration testing and remediated all issues identified; and enhanced e-mail filtering software to limit the possibility of phishing or ransomware attacks. Monitor Cybersecurity Incidents We have a well-defined and tested cybersecurity incident response plan, which outlines the roles and responsibilities, procedures and protocols, tools and resources, and communication and escalation channels that will be activated and implemented in the event of a cybersecurity incident. The plan aims to detect and contain the incident, analyze and assess its nature, scope, and severity, and restore and resume the normal operations and functions of the Company.

Company Information