CBL & ASSOCIATES PROPERTIES INC 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

CBL & ASSOCIATES PROPERTIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:23:37 EST.

Filings

10-K filed on 2024-02-29

CBL & ASSOCIATES PROPERTIES INC filed an 10-K at 2024-02-29 17:23:37 EST
Accession Number: 0000950170-24-023267

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face risks associated with security breaches through cyber attacks, cyber intrusions or otherwise, and other significant disruptions of information technology networks and related systems. Refer to Risk Factors in Part I, Item 1A for a disclosure of our cybersecurity risks. We have not experienced a material information security breach and as a result, we have not incurred any material expenses. We continue to monitor cybersecurity risks to prevent and mitigate materially negative impacts on the Company s reputation, financial performance, customer or vendor relationships and potential litigation or regulatory investigations or actions. As part of its regular oversight of risk management, our audit committee is responsible for the oversight of cybersecurity risk and threat mitigation related to our information technology and information systems including protection and security of employee and customer data. Our Vice President Technology Solutions is responsible for the day-to-day management of our cybersecurity program and reports directly to our President. Our Vice President Technology Solutions has served in this role for over three years and has more than 25 years of experience in the aggregate, including ten years with the Company, in various information technology roles. Our audit committee is responsible for overseeing cybersecurity risks, and our management team reports to our audit committee on the Company s cybersecurity program, current cybersecurity projects and industry trends and efforts to mitigate cybersecurity risk on at least a semi-annual basis. We have a comprehensive program designed to mitigate cybersecurity risk. We have adopted and require employees to abide by our personally identifiable information policy to help protect personal employee, vendor and tenant information. Employees are required to complete regular cybersecurity training and education annually, which is followed-up with quarterly testing and re-training, as necessary. We also maintain an incident response plan which outlines our response and action in the event of a major cybersecurity incident. The cybersecurity incident response plan sets forth a process for detecting and responding to cybersecurity incidents, determining their scope and risk, developing an appropriate response to mitigate and remediate the incident, communicating effectively to all stakeholders and participants and reducing the likelihood of similar future incidents. In the event of a real or perceived cybersecurity incident, the Vice President Technology Solutions would, as soon as practicable, inform management s technology solutions steering committee, the members of which would then collaborate with the Vice President Technology Solutions to manage material risks. 28 We contract with a third party to perform a cybersecurity risk and vulnerability assessment annually. We regularly test areas of potential vulnerability, utilizing penetration testing, ransomware-focused disaster recovery tests as well as testing exercises for other higher risk areas. We have also implemented most of the voluntary practices recommended under the National Institute of Standards and Technology cybersecurity framework. Additionally, the Company maintains cybersecurity risk insurance coverage.

Company Information