TANGER PROPERTIES LTD PARTNERSHIP /NC/ 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

TANGER PROPERTIES LTD PARTNERSHIP /NC/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:08:59 EST.

Filings

10-K filed on 2024-02-21

TANGER PROPERTIES LTD PARTNERSHIP /NC/ filed an 10-K at 2024-02-21 16:08:59 EST
Accession Number: 0000899715-24-000044

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems are necessary for the operation of our business. We use these systems, among others, to manage our tenant relationships, for internal communications, for accounting to operate our record-keeping function, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data. Managing Material Risks & Integrated Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our technology department continuously identifies, evaluates and manages material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and tenant data in alignment with our business objectives and operational needs. Engage Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties include regular monitoring, threat assessments, and consultation on security enhancements. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company or the Operating Partnership, including our business strategy, results of operations, or financial condition. Refer to Item 1A. Risk factors in this Annual Report, including the risk factor entitled Cyber-attacks or acts of cyber-terrorism could disrupt our or our third-party providers’ business operations and information technology systems or result in the loss or exposure of confidential or sensitive customer, employee or Company information , for additional discussion about cybersecurity-related risks. Governance The Board is focused on the critical nature of managing risks associated with cybersecurity threats. The Board has delegated to its Audit Committee oversight of management’s processes for identifying and mitigating risks, including cybersecurity-related risks, to help align our risk exposure with our strategic objectives. Board of Directors Oversight The Audit Committee of the Board oversees our annual enterprise risk assessment, where we assess key material risks within our Company, including technology risks and cybersecurity threats. The Audit Committee engages in regular discussions with management regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. These discussions include the Company s risk assessment and risk management policies. 31 Management s Role Managing Risk Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (“ERM”) process. Cybersecurity related risks are included in the population that the ERM function evaluates to assess the top risks to the enterprise on a quarterly basis. To the extent the ERM process identifies a heightened cybersecurity related risk, management develops risk mitigation plans to minimize the risk. The ERM annual risk assessment is presented to the Audit Committee of the Board. Monitor Cybersecurity Incidents The Senior Vice President of Information Technology (“SVP IT”) is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The SVP IT implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, we believe we have a well-defined incident response plan governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for evaluation by an executive management group to determine if the incident is material to us by evaluating the impact on our financial condition, reputation and potential litigation risk and regulatory impact. The management group is comprised of the Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, General Counsel, Chief Accounting Officer and the SVP IT to determine if escalation is necessary by the Chief Executive Officer to the Board (specifically our Lead Independent Director and the Audit Committee Chair). Reporting to Board of Directors The SVP IT plays a pivotal role in informing the Audit Committee on cybersecurity-related risks. The Audit Committee holds quarterly meetings and the SVP IT provides periodic reports, on at least a quarterly basis, to the Audit Committee. These reports cover a broad range of topics, including: Status of ongoing cybersecurity initiatives and strategies; Incident reports and learnings from any cybersecurity events; and Compliance with regulatory requirements and industry standards The SVP IT regularly informs our executive management group of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity environment and potential risks facing us. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. As of the date of this Annual Report, we have not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. 32

Company Information