BOSTON PROPERTIES LTD PARTNERSHIP 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

BOSTON PROPERTIES LTD PARTNERSHIP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 15:56:05 EST.

Filings

10-K filed on 2024-02-27

BOSTON PROPERTIES LTD PARTNERSHIP filed an 10-K at 2024-02-27 15:56:05 EST
Accession Number: 0001656423-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our information technology ( IT ) networks and related systems are essential to the efficient operation of our business and our ability to perform day-to-day operations (including managing our building systems and accounting for our business operations). In some cases, our clients operations depend on our building systems. The risk of a security breach, incident, compromise or disruption, particularly through cyber-attack or cyber intrusion, including by computer hackers, foreign governments and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. Like other businesses, we have been, and expect to continue to be, subject to attempts at unauthorized access of our network, mishandling or misuse, computer viruses or malware, cyber-attacks and intrusions and other events of varying degrees. To date, these events have not, individually or in the aggregate, materially affected our operations or business. In addition, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. See Item 1A. Risk Factors for additional discussion of the cybersecurity risks related to our Company. Cybersecurity Risk Management & Strategy We have implemented and maintain a cybersecurity program that is designed to identify, assess and manage risks from cybersecurity threats and was established by reference to the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. The primary goal of our cybersecurity program is to prevent cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. We aim to take an active approach to monitoring and evaluating our cybersecurity threat environment and risk profile as part of our cybersecurity program, which is administered by our information systems ( IS ) department, led by our Senior Vice President, Chief Technology Officer ( CTO ) and Senior Vice President, Chief Information Officer ( CIO, together with our CTO, IS Leaders ). Our IS Leaders are primarily responsible for the direction and implementation of technology, applications and security at BXP. Our CTO has extensive technology and program management experience with approximately 40 years of technology experience, 26 years of which have been with BXP and a total of 30 years with publicly-traded REITs. In January 2024, our IS leadership expanded to include our CIO, who has 30 years of technology experience developed across multiple industries, including commercial real estate, in guiding organizations through strategic initiatives that span technology, cybersecurity, and digital transformations. 46 T able of Contents We maintain written information security policies and procedures, including a Cybersecurity Incident Response Plan ( CIRP ) for incidents involving potential or actual compromises of information security. Our CIRP is overseen by the cyber executive response team, which is chaired by our Vice President, Risk Management and includes representatives from our IS and legal departments. In the event of a cybersecurity incident, we have implemented procedures to (i) mobilize third-party subject matter experts and (ii) notify executive leadership and the Audit Committee and/or the full Board of Directors, in each case, as appropriate. As part of our overall cybersecurity program, we also conduct: Regular assessments of our cybersecurity program . We assess our cybersecurity program against the NIST Cybersecurity Framework through annual internal assessments, and, every two years, we engage a third-party consultant to conduct an additive cyber assessment. These assessments review, among other things, our IT security measures and activities for alignment with the NIST Cybersecurity Framework. Periodic penetration testing & vulnerability assessments . On an annual basis, we engage a third-party consultant to conduct two penetration tests per year. We also conduct vulnerability assessments on a monthly basis. Regular cybersecurity awareness trainings & simulations . We conduct cybersecurity awareness training for employees and primary on-site providers during onboarding, and thereafter, multiple times per year, and we conduct regular phishing simulations in an effort to raise awareness of spoofed or manipulated electronic communications and other security threats, as well as annual tabletop simulations. In addition, our internal audit function integrates the assessment and identification of cybersecurity-related risks into our annual overall enterprise risk assessment ( ERA ). The ERA process is designed to assess and identify the key risks that management believes could adversely impact our business operations or impede the achievement of our business objectives, which includes an assessment of our cybersecurity program and the cybersecurity-related risks that we face. To the extent the ERA identifies a heightened cybersecurity-related risk(s), we have implemented a process for the risk(s) to be presented to the Audit Committee and the full Board of Directors, as appropriate. We utilize certain third-party service providers to perform select functions. These third-party service providers also face cybersecurity threats, and a cybersecurity incident impacting any of our third-party service providers could also indirectly affect our operations, performance and results of operations. We have a data security committee, consisting of members from various BXP departments, including IS, legal and risk management, that meets periodically to assess, identify and manage cybersecurity risks related to certain third-party service providers and to protect our critical financial and sensitive business information, as well as personally identifiable information (collectively, Sensitive Information ). The data security committee has implemented processes for evaluating the risk profile of those service providers that handle or have access to Sensitive Information, which informs applicable contractual obligations with these service providers. This evaluation, which occurs prior to onboarding, is designed to consider the nature of the services to be provided, the level of sensitivity and quantity of the information that the service provider handles or has access to, and the identity of the service provider. Cybersecurity Governance Our Board of Directors is primarily responsible for risk oversight and discharges its responsibility directly or indirectly through its committees. In general, our risk management is designed to be facilitated through a top-down and bottom-up communication structure whereby the Board and/or its committees provide oversight and direction, and management is charged with the day-to-day management of risks, regular assessment of the risk environment and regular reporting to the Board, which may include management reports and reports from outside advisors and consultants engaged by the Board, a specific committee or management, as appropriate. This overall risk management and oversight framework includes risks related to cybersecurity threats. Pursuant to its charter, the Audit Committee oversees senior management s risk management processes related to assessing, identifying and managing cybersecurity risks in an effort to, among other things, help align our risk exposure with our strategic objectives. The Audit Committee meets no less frequently than annually with our IS department to discuss, among other things, recent trends in cyber risks, cybersecurity incidents, if any, and our cybersecurity defense strategy to protect against cyber-attacks and intrusions. These discussions with the Audit Committee are led by our IS Leaders and senior management. The Audit Committee provides regular updates to the full Board of Directors on matters under its purview, including risk management and cybersecurity matters. 47 T able of Contents

Company Information