VORNADO REALTY LP 10-K Cybersecurity GRC - 2026-02-09

Page last updated on February 9, 2026

VORNADO REALTY LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-09 16:27:38 EST.

Filings

10-K filed on 2026-02-09

VORNADO REALTY LP filed a 10-K at 2026-02-09 16:27:38 EST
Accession Number: 0000899689-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have begun the use of AI capabilities with the goal of creating additional efficiencies in conducting our business and operations. While we intend to use AI appropriately and to attempt to mitigate ethical and legal issues presented by its use, we may ultimately be unsuccessful in identifying or resolving issues before they arise. There can be no assurance that we or our service providers will properly implement AI, and the failure to do so could have an adverse effect on our business and results of operations. 23 PRINCIPAL EXECUTIVE OFFICES Our principal executive offices are located at 888 Seventh Avenue, New York, New York 10019; telephone (212) 894-7000. MATERIALS AVAILABLE ON OUR WEBSITE Copies of our Annual Report on Form 10-K, Quarterly Reports on Form 10-Q, Current Reports on Form 8-K and amendments to those reports, as well as Reports on Forms 3, 4 and 5 regarding officers, trustees and 10% beneficial owners, filed or furnished pursuant to Section 13(a), 15(d) or 16(a) of the Securities Exchange Act of 1934 are available free of charge through our website (www.vno.com) as soon as reasonably practicable after they are electronically filed with, or furnished to, the Securities and Exchange Commission. Also available on our website are copies of our Audit Committee Charter, Compensation Committee Charter, Corporate Governance and Nominating Committee Charter, Code of Business Conduct and Ethics, and Corporate Governance Guidelines. In the event of any changes to these charters or the code or guidelines, revised copies will also be made available on our website. Copies of these documents are also available directly from us free of charge. Our website also includes other financial and non-financial information, including certain non-GAAP financial measures, none of which is a part of this Annual Report on Form 10-K. Copies of our filings under the Securities Exchange Act of 1934 are also available free of charge from us, upon request. ITEM 1B. UNRESOLVED STAFF COMMENTS There are no unresolved comments from the staff of the Securities and Exchange Commission as of the date of this Annual Report on Form 10-K. 24 ITEM 1C. CYBERSECURITY Risk Management and Strategy We employ a comprehensive risk management strategy for the assessment, identification and management of material risks stemming from cybersecurity threats. Our methodologies involve a systematic evaluation of potential threats, vulnerabilities, and their potential impacts on our organization's operations, data, and systems. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program, including legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise IT environment; - A team principally responsible for managing our (i) cybersecurity risk assessment processes, (ii) security controls and (iii) response to cybersecurity incidents; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - Cybersecurity awareness training of our employees, incident response personnel and senior management, including through the use of third-party providers for regular mandatory trainings; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - A risk management process for third-party service providers, suppliers, and vendors. We employ rigorous vetting processes and ongoing monitoring mechanisms designed to ensure their compliance with cybersecurity standards. As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Governance Our Board of Trustee's considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the "Committee") oversight of cybersecurity and other information technology risks. The Committee oversees management's implementation of our cybersecurity risk management program. The Committee receives periodic reports from management on our potential cybersecurity risks and threats and receives presentations on cybersecurity topics from our Chief Information Officer. The Committee reports to the full Board of Trustees regarding its activities, including those related to cybersecurity. The full Board of Trustees also receives briefings from management on cybersecurity matters as needed. Our management team, including our Chief Information Officer , is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Chief Information Officer has many years of experience leading cybersecurity oversight and overall has broad, extensive experience with information technology, including security, auditing, compliance, systems and programming. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Our cybersecurity incident response plan governs our assessment and response upon the occurrence of a material cybersecurity incident, including the process for informing senior management and our Board of Trustees. 25
ITEM 1C. CYBERSECURITY Risk Management and Strategy We employ a comprehensive risk management strategy for the assessment, identification and management of material risks stemming from cybersecurity threats. Our methodologies involve a systematic evaluation of potential threats, vulnerabilities, and their potential impacts on our organization's operations, data, and systems. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program, including legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise IT environment; - A team principally responsible for managing our (i) cybersecurity risk assessment processes, (ii) security controls and (iii) response to cybersecurity incidents; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - Cybersecurity awareness training of our employees, incident response personnel and senior management, including through the use of third-party providers for regular mandatory trainings; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - A risk management process for third-party service providers, suppliers, and vendors. We employ rigorous vetting processes and ongoing monitoring mechanisms designed to ensure their compliance with cybersecurity standards. As of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Governance Our Board of Trustee's considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the "Committee") oversight of cybersecurity and other information technology risks. The Committee oversees management's implementation of our cybersecurity risk management program. The Committee receives periodic reports from management on our potential cybersecurity risks and threats and receives presentations on cybersecurity topics from our Chief Information Officer. The Committee reports to the full Board of Trustees regarding its activities, including those related to cybersecurity. The full Board of Trustees also receives briefings from management on cybersecurity matters as needed. Our management team, including our Chief Information Officer , is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Chief Information Officer has many years of experience leading cybersecurity oversight and overall has broad, extensive experience with information technology, including security, auditing, compliance, systems and programming. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Our cybersecurity incident response plan governs our assessment and response upon the occurrence of a material cybersecurity incident, including the process for informing senior management and our Board of Trustees. 25

Company Information