COPT DEFENSE PROPERTIES 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

COPT DEFENSE PROPERTIES reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:06:17 EST.

Filings

10-K filed on 2024-02-22

COPT DEFENSE PROPERTIES filed an 10-K at 2024-02-22 17:06:17 EST
Accession Number: 0000860546-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C for disclosure regarding our cybersecurity risk management, strategy and governance. We may be adversely affected by environmental, social and governance matters. Certain investors and other stakeholders are increasingly focused on environmental, social and governance matters. If our perceived commitment to environmental, social and governance matters fails to meet the expectations of investors and other stakeholders, it could adversely affect their willingness to invest in, or otherwise do business with, us. We may suffer adverse effects from epidemics or pandemics. The occurrence of epidemics or pandemics may adversely affect us in many ways, including, but not limited to: > disruption of our tenants operations, which could adversely affect their ability, or willingness, to sustain their businesses and/or fulfill their lease obligations; > our ability to maintain occupancy in our properties and obtain new leases for unoccupied and new development space at favorable terms or at all; > shortages in supply of products or services from vendors that are needed for us and our tenants to operate effectively, and which could lead to increased costs for such products and services; > access to debt and equity capital on attractive terms or at all. Severe disruption and instability in the global financial markets or deteriorations in credit and financing conditions may affect our or our tenants ability to access capital necessary to fund operations, refinance debt or fund planned investments on a timely basis, and may adversely affect the valuation of financial assets and liabilities; and > our and our tenants ability to continue or complete planned development, including the potential for delays in the supply of materials or labor necessary for development. The extent of any effect on our operations, financial condition and cash flows will be dependent on various factors, such as the duration and extent of the epidemic or pandemic, the prevalence, strength and duration of restrictive measures implemented in response and the resulting effects on our tenants, potential future tenants, the commercial real estate industry and the broader economy. Moreover, some of the risks described in other risk factors set forth in this Annual Report on Form 10-K may be more likely to impact us as a result of epidemics or pandemics, including, but not limited to: downturns in national, regional and local economic environments; deteriorating local real estate market conditions; and declining real estate valuations. Our business could be adversely impacted if we are unable to attract and retain highly-qualified personnel. Our ability to operate effectively and succeed in the future is dependent in large part on our employees. Our Defense/IT strategy in particular relies on the knowledge, specialized skills and credentialed personnel on our teams that serve those properties unique needs. We face very intense competition for highly-qualified personnel in the labor market. We also occasionally face even greater competition for personnel with certain skill sets or qualifications. As a result, we may not be successful in retaining our existing talent or attracting, training and retaining new personnel with the requisite skills. We may also find that we need to further increase compensation costs in response to this competition. Our business could be harmed by the loss of key employees, a significant number of employees or a significant number of employees in a specialized area of the Company. We have certain provisions or statutes that may serve to delay or prevent a transaction or a change in control that would be advantageous to our shareholders from occurring. COPT Defense s Declaration of Trust limits ownership of its common shares by any single shareholder to 9.8% of the number of the outstanding common shares or 9.8% of the value of the outstanding common shares, whichever is more restrictive. COPT Defense s Declaration of Trust also limits ownership by any single shareholder of our common and preferred shares in the aggregate to 9.8% of the aggregate value of our outstanding common and preferred shares. We refer to these restrictions as the Ownership Limit. COPT Defense s Declaration of Trust allows our Board of Trustees to exempt shareholders from the Ownership Limit. The Ownership Limit and the restrictions on ownership of our common shares may delay or prevent a transaction or a change of control that might involve a premium price for our common shares or otherwise be in the best interest of our shareholders. Subject to the requirements of the New York Stock Exchange, our Board of Trustees has the authority, without shareholder approval, to issue additional securities on terms that could delay or prevent a change in control. In addition, our Board of Trustees has the authority to reclassify any of our unissued common shares into preferred shares. Our Board of Trustees may issue preferred shares with such preferences, rights, powers and restrictions if it chooses to do so, which could also delay or prevent a change in control. 16 In addition, various Maryland laws may have the effect of discouraging offers to acquire us, even if the acquisition would be advantageous to shareholders. Resolutions adopted by our Board of Trustees and/or provisions of our bylaws exempt us from such laws, but our Board of Trustees can alter its resolutions or change our bylaws at any time to make these laws applicable to us. COPT Defense s failure to qualify as a REIT would have adverse tax consequences, which would substantially reduce funds available to make distributions to our shareholders. We believe that COPT Defense has qualified for taxation as a REIT for federal income tax purposes since 1992. We plan for COPT Defense to continue to meet the requirements for taxation as a REIT. Many of these requirements, however, are highly technical and complex. The determination that COPT Defense is a REIT requires an analysis of various factual matters and circumstances that may not be totally within our control. For example, to qualify as a REIT, at least 95% of COPT Defense s gross income must come from certain sources that are specified in the REIT tax laws. COPT Defense is also required to distribute to shareholders at least 90% of its annual taxable income. The fact that COPT Defense holds most of its assets through CDPLP and its subsidiaries further complicates the application of the REIT requirements. Even a technical or inadvertent mistake could jeopardize COPT Defense s REIT status. Furthermore, Congress and the Internal Revenue Service might make changes to the tax laws and regulations and the courts might issue new rulings that make it more difficult or impossible for COPT Defense to remain qualified as a REIT. If COPT Defense fails to qualify as a REIT, it would be subject to federal income tax at regular corporate rates. Also, unless the Internal Revenue Service granted us relief under certain statutory provisions, COPT Defense would remain disqualified from being a REIT for four years following the year it first fails to qualify. If COPT Defense fails to qualify as a REIT, it would have to pay significant income taxes and would therefore have less money available for investments or for distributions to our shareholders. In addition, if COPT Defense fails to qualify as a REIT, it would no longer be required to pay distributions to shareholders. As a result of all these factors, COPT Defense s failure to qualify as a REIT could impair our ability to expand our business and raise capital and would likely have a significant adverse effect on the value of our shares. We may be adversely impacted by changes in tax laws. At any time, U.S. federal tax laws or the administrative interpretations of those laws may be changed. We cannot predict whether, when or to what extent new U.S. federal tax laws, regulations, interpretations or rulings will be issued. In addition, while REITs generally receive certain tax advantages compared to entities taxed as C corporations, it is possible that future legislation could result in REITs having fewer tax advantages, and therefore becoming a less attractive investment alternative. As a result, changes in U.S. federal tax laws could negatively impact our operating results, financial condition and business operations, and adversely impact our shareholders. Occasionally, changes in state and local tax laws or regulations are enacted that may result in an increase in our tax liability. Shortfalls in tax revenues for states and municipalities may lead to an increase in the frequency and size of such changes. If such changes occur, we may be required to pay additional taxes on our assets, revenue or income. Our tenants and contractual counterparties could be designated Prohibited Persons by the Office of Foreign Assets Control. The Office of Foreign Assets Control of the United States Department of the Treasury ( OFAC ) maintains a list of persons designated as terrorists or who are otherwise blocked or banned ( Prohibited Persons ). OFAC regulations and other laws prohibit us from conducting business or engaging in transactions with Prohibited Persons. If a tenant or other party with whom we conduct business is placed on the OFAC list or is otherwise a party with whom we are prohibited from doing business, we would be required to terminate our lease or other agreement with them. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity (a) As discussed in Item 1A, Risk Factors, we face risks associated with security breaches and other significant disruptions of our IT networks and related information systems, which are essential to our business operations. Due to our Defense/IT strategy and the nature of the customers and activities it serves, we may have a heightened likelihood of being targeted for cyber-attacks or -intrusions, including by governments, organizations or persons hostile to the USG. Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President Information Technology and Chief Information Officer (our CIO ), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our CFO ). Our CIO, a Certified Information Systems Security Professional ( CISSP ) with over 20 years of information systems and information security leadership experience, leads our information technology team members, many of whom have USG security clearances and include one additional CISSP certified team member, in supporting our cybersecurity risk management efforts. This team s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships. 17 Our information technology team executes a series of preventive, detective and responsive measures aimed towards managing our cybersecurity risks, including the following: > administering a series of processes and automated tools to monitor and alert for potentially malicious activities and vulnerabilities on our network, systems, applications and devices, with the ability to terminate processes and isolate potential vulnerabilities; > employing tools and controls to support our efforts in identity and access management and device and user management and authentication; > ongoing cybersecurity maintenance activities, including scheduled maintenance time windows for comprehensive system updates to occur, with additional ad hoc updates occurring as needed, monitoring of all Company devices for timeliness of security updates and pushing time-sensitive updates to our system infrastructure and devices, as appropriate; > recurring, redundant backups of our applications, servers and data, with replication to remote storage locations; > assessing audit reports issued on controls of certain outsourced, or externally-hosted, systems or applications; and > periodically evaluating our readiness by performing testing of our process and system for responding to cyber events, including our ability to recover following such events. We engage consultants: > on an ongoing basis for certain aspects of our information technology team s recurring monitoring and alert processes and round-the-clock support, as needed; and > periodically to perform penetration testing and vulnerability scanning of our systems, websites and properties, run or support tabletop exercises and complete cyber risk-based assessments of us. Organizationally, we aim to further support the forementioned measures through: > purchase and contracting controls aimed at preventing our entry into purchases or service arrangements: with entities blocked or banned by OFAC or the Federal Trade Commission; or outside of manufacturer authorized distribution channels; and > education of our employees, including cybersecurity-related training and periodic reminders and promotions regarding potential risks. Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee s oversight of our cybersecurity risk. Two members of this committee possess cybersecurity and information systems experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees. While to date, we have not experienced cybersecurity events that were individually, or in the aggregate, material, we have developed a cyber-incident response playbook that sets forth our process for responding in the event of certain defined cyber incidents. Under our response protocols, following identification of such an incident, our CIO or other members of the information technology team would notify our executive team, which then would notify the Chairman of our Board of Trustees and assemble an Incident Management Team, comprised of certain defined management team members and external consultants, who collectively would assess and monitor the situation and manage internal and external communications. We also are subject to legal and regulatory requirements that affect our response to cybersecurity-risk management, including the Sarbanes-Oxley Act, state data breach notification requirements and certain requirements under our leases with tenants. 18
Item 1C. Cybersecurity (a) As discussed in Item 1A, Risk Factors, we face risks associated with security breaches and other significant disruptions of our IT networks and related information systems, which are essential to our business operations. Due to our Defense/IT strategy and the nature of the customers and activities it serves, we may have a heightened likelihood of being targeted for cyber-attacks or -intrusions, including by governments, organizations or persons hostile to the USG. Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President Information Technology and Chief Information Officer (our CIO ), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our CFO ). Our CIO, a Certified Information Systems Security Professional ( CISSP ) with over 20 years of information systems and information security leadership experience, leads our information technology team members, many of whom have USG security clearances and include one additional CISSP certified team member, in supporting our cybersecurity risk management efforts. This team s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships. 17 Our information technology team executes a series of preventive, detective and responsive measures aimed towards managing our cybersecurity risks, including the following: > administering a series of processes and automated tools to monitor and alert for potentially malicious activities and vulnerabilities on our network, systems, applications and devices, with the ability to terminate processes and isolate potential vulnerabilities; > employing tools and controls to support our efforts in identity and access management and device and user management and authentication; > ongoing cybersecurity maintenance activities, including scheduled maintenance time windows for comprehensive system updates to occur, with additional ad hoc updates occurring as needed, monitoring of all Company devices for timeliness of security updates and pushing time-sensitive updates to our system infrastructure and devices, as appropriate; > recurring, redundant backups of our applications, servers and data, with replication to remote storage locations; > assessing audit reports issued on controls of certain outsourced, or externally-hosted, systems or applications; and > periodically evaluating our readiness by performing testing of our process and system for responding to cyber events, including our ability to recover following such events. We engage consultants: > on an ongoing basis for certain aspects of our information technology team s recurring monitoring and alert processes and round-the-clock support, as needed; and > periodically to perform penetration testing and vulnerability scanning of our systems, websites and properties, run or support tabletop exercises and complete cyber risk-based assessments of us. Organizationally, we aim to further support the forementioned measures through: > purchase and contracting controls aimed at preventing our entry into purchases or service arrangements: with entities blocked or banned by OFAC or the Federal Trade Commission; or outside of manufacturer authorized distribution channels; and > education of our employees, including cybersecurity-related training and periodic reminders and promotions regarding potential risks. Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee s oversight of our cybersecurity risk. Two members of this committee possess cybersecurity and information systems experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees. While to date, we have not experienced cybersecurity events that were individually, or in the aggregate, material, we have developed a cyber-incident response playbook that sets forth our process for responding in the event of certain defined cyber incidents. Under our response protocols, following identification of such an incident, our CIO or other members of the information technology team would notify our executive team, which then would notify the Chairman of our Board of Trustees and assemble an Incident Management Team, comprised of certain defined management team members and external consultants, who collectively would assess and monitor the situation and manage internal and external communications. We also are subject to legal and regulatory requirements that affect our response to cybersecurity-risk management, including the Sarbanes-Oxley Act, state data breach notification requirements and certain requirements under our leases with tenants. 18 Item 2. Properties The following table provides certain information about our operating property segments as of December 31, 2023 (dollars and square feet in thousands, except per square foot amounts): Segment Number of Properties Operational Square Feet Occupancy (1) Annualized Rental Revenue (2) Annualized Rental Revenue per Occupied Square Foot (2) Defense/IT Portfolio: Fort Meade/BW Corridor: National Business Park (Annapolis Junction, MD) 34 4,293 99.3 % $ 176,899 $ 41.49 Howard County, MD 35 2,862 93.9 % 78,389 $ 29.12 Other 23 1,725 93.1 % 53,064 $ 32.90 Fort Meade/BW Corridor Subtotal / Average 92 8,880 96.4 % 308,352 $ 35.99 NoVA Defense/IT 16 2,501 88.9 % 82,482 $ 37.09 Lackland Air Force Base 8 1,062 100.0 % 61,383 $ 53.27 Navy Support 22 1,273 87.4 % 33,420 $ 30.04 Redstone Arsenal 22 2,300 97.5 % 56,918 $ 25.24 Data Center Shells: Consolidated Properties 6 1,408 100.0 % 31,087 $ 22.08 Unconsolidated Joint Venture Properties 24 4,295 100.0 % 6,741 $ 15.69 Defense/IT Portfolio Subtotal / Average 190 21,719 96.2 % 580,383 $ 33.74 Other 8 2,140 73.2 % 66,277 $ 38.42 Total Operating Properties / Average 198 23,859 94.2 % $ 646,660 $ 34.14 Total Consolidated Operating Properties $ 639,920 (1) This percentage is based upon all rentable square feet under lease terms that were in effect as of December 31, 2023. (2) Annualized rental revenue is the monthly contractual base rent as of December 31, 2023 (ignoring free rent then in effect and rent associated with tenant funded landlord assets) multiplied by 12, plus the estimated annualized expense reimbursements under existing leases for occupied space. With regard to properties owned through unconsolidated real estate joint ventures, we include the portion of annualized rental revenue allocable to our ownership interest. We consider annualized rental revenue to be a useful measure for analyzing revenue sources because, since it is point-in-time based, it does not contain increases and decreases in revenue associated with periods in which lease terms were not in effect; historical revenue under generally accepted accounting principles does contain such fluctuations. We find the measure particularly useful for leasing, tenant, segment and industry analysis. Our calculation of annualized rental revenue per occupied square foot excludes revenue of our reportable segments from leases not associated with our buildings. 19 The following table provides certain information about properties that were under, or contractually committed for, development as of December 31, 2023 (dollars and square feet in thousands): Property and Location Estimated Rentable Square Feet Upon Completion Percentage Leased Calendar Quarter Anticipated to be Operational Costs Incurred to Date (1) Estimated Costs to Complete (1) Redstone Arsenal: 5300 Redstone Gateway Huntsville, Alabama 46 100% 1Q 24 $ 17,973 $ 2,578 8100 Rideout Road Huntsville, Alabama 128 42% 3Q 24 30,485 13,478 Subtotal / Average 174 57% 48,458 16,056 Data Center Shells: Southpoint Phase 2 Bldg A Northern Virginia 225 100% 3Q 24 20,760 61,740 Southpoint Phase 2 Bldg B Northern Virginia 193 100% 3Q 25 5,150 59,850 MP 3 Northern Virginia 225 100% 4Q 25 10,031 101,769 Subtotal / Average 643 100% 35,941 223,359 Total Under Development 817 91% $ 84,399 $ 239,415 (1) Includes land, development, leasing costs and allocated portion of structured parking and other shared infrastructure, if applicable. The following table provides certain information about land that we owned or controlled as of December 31, 2023, including properties under ground lease to us (square feet in thousands): Segment Acres Estimated Developable Square Feet Defense/IT Portfolio land owned/controlled for future development: Fort Meade/BW Corridor: National Business Park (Annapolis Junction, MD) 144 1,630 Howard County, MD 19 290 Other 126 1,338 Total Fort Meade/BW Corridor 289 3,258 NoVA Defense/IT 29 1,171 Navy Support 38 64 Redstone Arsenal (1) 300 3,400 Total Defense/IT Portfolio land owned/controlled for future development 656 7,893 Other land owned/controlled 53 1,538 Total Land Owned/Controlled 709 9,431 (1) This land is owned by the USG and is controlled under a long-term master lease agreement to a consolidated joint venture. As this land is developed in the future, the joint venture will execute site-specific leases under the master lease agreement. Lease payments will commence under the site-specific leases as cash rents under tenant leases commence at the respective properties. 20 Lease Expirations The following table provides a summary schedule of lease expirations for leases in place at our operating properties as of December 31, 2023 based on the non-cancelable term of tenant leases determined in accordance with generally accepted accounting principles (dollars and square feet in thousands, except per square foot amounts): Year of Lease Expiration Square Footage of Leases Expiring Annualized Rental Revenue of Expiring Leases (1) Percentage of Total Annualized Rental Revenue Expiring (1) Total Annualized Rental Revenue of Expiring Leases Per Occupied Square Foot (1) 2024 2,576 $ 82,599 12.8 % $ 35.92 2025 3,645 145,662 22.5 % $ 39.51 2026 1,959 61,398 9.5 % $ 39.41 2027 1,714 49,383 7.6 % $ 35.59 2028 2,418 64,392 10.0 % $ 32.92 2029 2,321 52,455 8.1 % $ 30.72 2030 1,320 29,624 4.6 % $ 28.51 2031 959 16,649 2.6 % $ 29.19 2032 230 7,209 1.1 % $ 31.30 2033 646 22,836 3.5 % $ 35.37 2034 1,438 32,661 5.1 % $ 29.46 2035 1,080 33,217 5.1 % $ 30.75 2036 1,010 9,908 1.5 % $ 29.44 2037 102 9,573 1.5 % $ 92.86 2038 569 14,207 2.2 % $ 24.96 2039 483 9,786 1.5 % $ 20.25 2041 (2) 4,841 0.8 % N/A 2063 (2) 135 % N/A 2072 (2) 125 % N/A Total 22,470 $ 646,660 100.0 % $ 34.14 (1) Refer to definition provided on first page of

Company Information