CENTERSPACE 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

CENTERSPACE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:31:13 EST.

Filings

10-K filed on 2024-02-20

CENTERSPACE filed an 10-K at 2024-02-20 16:31:13 EST
Accession Number: 0000798359-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have an information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. Our Board of Trustees oversees management s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Senior Vice President of Information Technology (the SVP of IT ), meets with the Board of Trustees at least annually to present and discuss strategies and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified. Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies. A comprehensive approach to assessing, identifying, and managing cybersecurity risks is part of the Company s overall risk management strategy. A combination of internal and external monitoring services help identify, manage, and assess how management responds within our enterprise risk management processes. Any known known cybersecurity incidents would be reported to our board, chief executive officer, and disclosure committee for evaluation. We engage third party experts to monitor for and identify cyber threats. Both management and the third party provider receive alerts regarding cyber threats. The third party provider has the ability to act on our behalf to respond to any threats it identifies. We also use, among other things, endpoint monitoring, anti-virus software, multi-factor authentication, and data encryption to assist with managing cyber risks and identifying cyber threats. In addition, we engage a cybersecurity consultant to regularly assess cyber risks and threats and provide recommendations and plans to mitigate those risks. We utilize third-party service providers for a variety of functions. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. We look for reliable and reputable service providers that maintain cybersecurity programs based on industry standards. Depending on the nature of the services provided and the sensitivity of information processed, our vendor management process may include contractually imposed obligations on the provider and reviewing the cybersecurity practices of such provider. In 2021, we suffered a ransomware attack on our information technology systems. This incident did not have a material impact on our business, operations, or financial condition; however, as a result, we began work on certain information technology initiatives earlier than originally planned. A security breach or other significant disruption involving our computer networks and related systems could cause substantial costs and other negative effects, including litigation, remediation costs, costs to deploy additional protection strategies, compromising of confidential information, and reputational damage adversely affecting investor confidence. Further, a penetration of our systems or a third-party s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Item 1A. Risk Factors We face risks associated with cyber-attacks, cyber intrusions, or otherwise, which could pose a risk to our systems, networks, and services and Security breaches could compromise our information and expose us to liability, which would cause our business and reputation to suffer. and Security breaches could compromise our information and expose us to liability, which would cause our business and reputation to suffer. 20 Table of Contents

Company Information