REGENCY CENTERS LP 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

REGENCY CENTERS LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 16:54:19 EST.

Filings

10-K filed on 2026-02-13

REGENCY CENTERS LP filed a 10-K at 2026-02-13 16:54:19 EST
Accession Number: 0001193125-26-051668

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, security, and availability of our critical systems and information. We employ a tiered structure of management and oversight for cybersecurity, characterized by distinct layers of responsibility and decision making, which includes operational staff, management, and senior management and board-level governance. As discussed in more detail below under "Cybersecurity Governance," this involves management responsibility through a specialized Cyber Risk Committee (the "CRC") and oversight of that committee by a group of the most senior leaders of the Company, which comprise the Company's Executive Committee. At the Company's Board of Directors (the "Board") level, the Audit Committee oversees our cybersecurity risk management program. Our strategy for managing cybersecurity risk is integrated into the Company's overall risk management program and structure, as depicted in the Corporate Governance section of our Proxy under "Risk Oversight." The Company, through its Chief Information Security Officer ("CISO"), other Company employees experienced in information network security, and the use of third-party expertise references recognized cybersecurity frameworks, such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. While our objective is to generally align our cybersecurity program with NIST standards, this does not imply that we meet NIST or any other particular technical standard, specifications, or requirements; rather, these frameworks are used to benchmark and help tailor the Company's cybersecurity strategies and program to our risk mitigation and operational needs and goals. Our core cybersecurity strategy focuses on five key pillars: identification, protection, detection, response, and recovery, each tailored to meet the challenges and needs of our business. The primary goal of this strategy is to proactively safeguard the confidentiality, security, and availability of our critical systems and information. This proactive approach includes measures designed to identify, prevent, and mitigate cybersecurity threats and to enable a timely response to cybersecurity incidents to minimize their impact. Under the leadership of our CISO and CRC, we regularly evaluate and enhance our cybersecurity practices to facilitate adaptation to the constantly evolving landscape of cybersecurity threats. Key elements of our cybersecurity risk management program include, but are not limited to, the following: - risk assessments designed to help identify material risks from cybersecurity threats to our critical systems and information; - oversight of cybersecurity risks and controls by our CRC, including oversight of the management of cybersecurity incidents by designated incident response personnel, in coordination with IT security and other functions, as appropriate; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes, as discussed further below; 22 - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile. We have adopted a risk-based strategy to assess and manage cybersecurity risks associated with third parties. We prioritize our cybersecurity efforts relating to third parties based on the likelihood and potential impact of cybersecurity threats. This includes reviewing the security protocols of key vendors, service providers, and external users of our systems. The CRC engages third-party expertise from time to time as it deems necessary or appropriate to test our cybersecurity defenses, to evaluate the cybersecurity programs of current and potential vendors and service providers, and to seek specialized legal advice regarding cybersecurity. Since at least January 1, 2022 , we are not aware of any cybersecurity incidents that have materially affected the Company. Nonetheless, we face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See "Risk Factors - The unauthorized access, use, theft or destruction of tenant or employee personal, financial or other data, or of Regency's proprietary or confidential information stored in our information systems or by third parties on our behalf, could impact operations, and expose us to potential liabilities and material adverse financial impact." Cybersecurity Governance The Audit Committee of the Board is charged with overseeing our cybersecurity risk management program. Both the CRC Chair and the CISO, serving in distinct roles, provide the Audit Committee with regular updates. These updates cover the overall status of the Company's cybersecurity program, as well as developments and potential new risks and trends. In the event of a significant cybersecurity threat or incident, the CRC would escalate communication frequency and intensity with the Audit Committee, Board, and the Company's Executive Committee (discussed below). The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. Board members also receive presentations periodically on cybersecurity topics from internal security staff and external experts as part of the Board's continuing education. As designated by the Company's Executive Committee and the Audit Committee, our CRC leads Regency's cybersecurity risk management program. This includes risk identification, assessment, management, prevention and mitigation, as well as securing necessary resources and reporting on cybersecurity preparedness to the Executive Committee (which is currently comprised of the CEO, CFO, and several of the Company's other senior leaders) and the Audit Committee. CRC membership, which is subject to change from time to time, includes management leadership possessing a diverse range of education, experience and expertise, and currently includes the Company's CISO, chief accounting officer, head of internal audit, general counsel and chief compliance officer, head of litigation, head of human resources, head of IT operations and the manager of network security. The collective experience of this committee encompasses areas such as IT, network security, change and incident management, public company governance, accounting, financial controls, insurance, risk management, third-party vendor oversight and systems integration, communications, human capital, and legal matters including securities, privacy and technology contracting. Our CRC takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. These include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public and private sources, including external consultants engaged by us; and alerts and reports generated by security tools deployed in our IT environment. 23

Company Information