ALEXANDERS INC 10-K Cybersecurity GRC - 2025-02-10

Page last updated on February 10, 2025

ALEXANDERS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-10 08:32:08 EST.

Filings

10-K filed on 2025-02-10

ALEXANDERS INC filed a 10-K at 2025-02-10 08:32:08 EST
Accession Number: 0000003499-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity" in this Annual Report on Form 10-K. 17 RISKS RELATED TO OUR COMMON STOCK The trading price of our common stock has been volatile and may continue to fluctuate. The trading price of our common stock has been volatile and may continue to fluctuate widely as a result of several factors, many of which are outside of our control. These factors include: - our financial condition and performance; - the financial condition of our tenants, including the extent of tenant bankruptcies or defaults; - actual or anticipated quarterly fluctuations in our operating results and financial condition; - our dividend policy; - the reputation of REITs and real estate investments generally and the attractiveness of REIT equity securities in comparison to other equity securities, including securities issued by other real estate companies, and fixed income securities; - uncertainty and volatility in the equity and credit markets; - fluctuations in interest rates; - changes in revenue or earnings estimates or publication of research reports and recommendations by financial analysts or actions taken by rating agencies with respect to our securities or those of other REITs; - failure to meet analysts’ revenue or earnings estimates; - speculation in the press or investment community; - strategic actions by us or our competitors, such as acquisitions or restructurings; - the extent of institutional investor interest in us; - the extent of short-selling of our common stock and the shares of our competitors; - fluctuations in the stock price and operating results of our competitors; - general financial and economic market conditions and, in particular, developments related to market conditions for office REITs and other real estate related companies and the New York City real estate market; - inflation; - local, domestic and international economic factors unrelated to our performance (including the macro-economic impact of geopolitical conflict); - fiscal policies or inaction at the U.S. federal government level that may lead to federal government shutdowns or negative impacts on the U.S. economy; - changes in tax laws and rules; and - all other risk factors addressed elsewhere in this Annual Report on Form 10-K. In addition, the stock market is subject to fluctuations in the share prices and trading volumes that affect the market prices of the shares of many companies. These broad market fluctuations have in the past and may in the future adversely affect the market price of our common stock. A significant decline in our stock price could result in substantial losses for stockholders. Alexander’s has additional shares of its common stock available for future issuance, which could decrease the market price of the common stock currently outstanding. The interest of our current stockholders could be diluted if we issue additional equity securities. As of December 31, 2024, we had authorized but unissu ed 4,826,550 shares of common stock, par value of $1.00 per share and 3,000,000 shares of preferred stock, par value $1.00 per share; of which 26,244 shares of common stock are reserved for issuance upon redemption of the deferred stock units previously granted to our Board of Directors. In addition, 479,543 s hares are available for future grant under the terms of our 2016 Omnibus Stock Plan. These awards may be granted in the form of options, restricted stock, stock appreciation rights, deferred stock units, or other equity-based interests, and if granted, would reduce that number of shares available for future grants, provided however that an award that may be settled only in cash, would not reduce the number of shares available under the plan. We cannot predict the impact that future issuances of common or preferred stock or any exercise of outstanding options or grants of additional equity-based interests would have on the market price of our common stock. Loss of our key personnel could harm our operations and adversely affect the value of our common stock. We are dependent on the efforts of Steven Roth, the Chairman of our Board of Directors and our Chief Executive Officer. While we believe that we could find a replacement for him and other key personnel, the loss of their services could harm our operations and adversely affect the value of our common stock. 18 RISKS RELATED TO REGULATORY COMPLIANCE We may fail to qualify or remain qualified as a REIT, and may be required to pay federal income taxes at corporate rates, which could adversely affect the value of our common stock. Although we believe that we will remain organized and will continue to operate so as to qualify as a REIT for federal income tax purposes, we may fail to remain so qualified. Qualifications are governed by highly technical and complex provisions of the Internal Revenue Code for which there are only limited judicial or administrative interpretations and depend on various facts and circumstances that are not entirely within our control. In addition, legislation, new regulations, administrative interpretations or court decisions may significantly change the relevant tax laws and/or the federal income tax consequences of qualifying as a REIT. If, with respect to any taxable year, we fail to maintain our qualification as a REIT and do not qualify under statutory relief provisions, we could not deduct distributions to stockholders in computing our taxable income and would have to pay federal income tax on our taxable income at regular corporate rates. The federal income tax payable would include any applicable alternative minimum tax. If we had to pay federal income tax, the amount of money available to distribute to stockholders and pay our indebtedness would be reduced for the year or years involved, and we would not be required to make distributions to stockholders in that taxable year and in future years until we were able to qualify as a REIT and did so. In addition, we would also be disqualified from treatment as a REIT for the four taxable years following the year during which qualification was lost, unless we were entitled to relief under the relevant statutory provisions. Our failure to qualify as a REIT could adversely affect our business and the value of our common stock. We may face possible adverse federal tax audits and changes in federal tax laws, which may result in an increase in our tax liability. In the normal course of business, certain entities through which we own real estate have either undergone or may undergo tax audits. Although we believe that we have substantial arguments in favor of our positions, in some instances there is no controlling precedent or interpretive guidance. There can be no assurance that audits will not occur with increased frequency or that the ultimate result of such audits will not have a material adverse effect on our results of operations. At any time, the U.S. federal income tax laws governing REITs or the administrative interpretations of those laws may be amended. We cannot predict if or when any new U.S. federal income tax law, regulation, or administrative interpretation, or any amendment to any existing U.S. federal income tax law, Treasury regulation or administrative interpretation, will be adopted, promulgated or become effective and any such law, regulation, or interpretation may take effect retroactively. Alexander’s, its taxable REIT subsidiaries, and our security holders could be adversely affected by any such change in, or any new, U.S. federal income tax law, Treasury regulation or administrative interpretation. We may face possible adverse state and local tax audits and changes in state and local tax law. Because we are organized and qualify as a REIT, we are generally not subject to federal income taxes, but we are subject to certain state and local taxes. In the normal course of business, certain entities through which we own real estate have undergone, tax audits. There can be no assurance that audits will not occur with increased frequency or that the ultimate result of such audits will not have a material adverse effect on our results of operations. From time-to-time changes in state and local tax laws or regulations are enacted, which may result in an increase in our tax liability. A shortfall in tax revenues for states and municipalities in which we operate may lead to an increase in the frequency and size of such changes in laws, regulations and administration of property and transfer taxes. If such changes occur, we may be required to pay additional taxes on our assets or income. These increased tax costs could adversely affect our financial condition and results of operations and the amount of cash available to pay our indebtedness and make distributions to our stockholders. Compliance or failure to comply with the Americans with Disabilities Act (“ADA”) or other safety regulations and requirements could result in substantial costs. The ADA generally requires that public buildings, including our properties, meet certain Federal requirements related to access and use by disabled persons. Noncompliance could result in the imposition of fines by the Federal government or the award of damages to private litigants and/or legal fees to their counsel. If, under the ADA, we are required to make substantial alterations and capital expenditures in one or more of our properties, including the removal of access barriers, it could adversely affect our financial condition and results of operations, as well as the amount of cash available for distribution to stockholders. Our properties are subject to various federal, state and local regulatory requirements, such as state and local fire and life safety requirements. If we fail to comply with these requirements, we could incur fines or private damage awards. We do not know whether existing requirements will change or whether compliance with future requirements will require significant unanticipated expenditures that will affect our cash flow and results of operations. 19 We may incur significant costs to comply with environmental laws and environmental contamination may impair our ability to lease and/or sell real estate. Our operations and properties are subject to various federal, state and local laws and regulations concerning the protection of the environment, including air and water quality, hazardous or toxic substances and health and safety. Under some environmental laws, a current or previous owner or operator of real estate may be required to investigate and clean up hazardous or toxic substances released at a property. The owner or operator may also be held liable to a governmental entity or to third parties for property damage or personal injuries and for investigation and clean-up costs incurred by those parties because of the contamination. These laws often impose liability without regard to whether the owner or operator knew of the release of the substances or caused the release. The presence of contamination or the failure to remediate contamination may also impair our ability to sell or lease real estate or to borrow using the real estate as collateral. Other laws and regulations govern indoor and outdoor air quality including those that can require the abatement or removal of asbestos-containing materials in the event of damage, demolition, renovation or remodeling and govern emissions of and exposure to asbestos fibers in the air. The maintenance and removal of lead paint and certain electrical equipment containing polychlorinated biphenyls (PCBs) are also regulated by federal and state laws. We are also subject to risks associated with human exposure to chemical or biological contaminants such as molds, pollens, viruses and bacteria which, above certain levels, can be alleged to be connected to allergic or other health effects and symptoms in susceptible individuals. We could incur fines for environmental compliance and be held liable for the costs of remedial action with respect to the foregoing regulated substances or related claims arising out of environmental contamination or human exposure to contamination at or from our properties. Each of our properties has been subjected to varying degrees of environmental assessment. To date, these environmental assessments have not revealed any environmental condition material to our business. However, identification of new compliance concerns or undiscovered areas of contamination, changes in the extent or known scope of contamination, human exposure to contamination or changes in clean-up or compliance requirements could result in significant costs to us. ITEM 1B. UNRESOLVED STAFF COMMENTS There are no unresolved comments from the staff of the Securities and Exchange Commission as of the date of this Annual Report on Form 10-K. 20 ITEM 1C. CYBERSECURITY Risk Management and Strategy Our comprehensive risk management strategy for the assessment, identification and management of material risks stemming from cybersecurity threats is aligned with Vornado’s strategy as the Company’s manager, which involves a systematic evaluation of potential threats, vulnerabilities, and their potential impacts on our organization’s operations, data, and systems. Our manager’s cybersecurity risk management program, which is subject to our oversight, is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program, including legal, compliance, strategic, operational, and financial risk areas. The cybersecurity risk management program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and broader enterprise IT environment; - A team principally responsible for managing our (i) cybersecurity risk assessment processes, (ii) security controls and (iii) response to cybersecurity incidents; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of security controls; - Cybersecurity awareness training for users and senior management, including through the use of third-party providers for regular mandatory trainings; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - A risk management process for third-party service providers, suppliers and vendors, which includes a rigorous vetting process and ongoing monitoring mechanisms designed to ensure their compliance with cybersecurity standards. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business, results of operations, or financial condition . Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee oversees the implementation of the cybersecurity risk management program. The Committee receives periodic reports from management on potential cybersecurity risks and threats and receives presentations on cybersecurity topics from Vornado and its Chief Information Officer . The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The full Board of Directors also receives briefings from management on the cybersecurity risk management program as needed. Management, along with Vornado, is responsible for assessing and managing our material risks from cybersecurity threats. Management and Vornado have primary responsibility for our overall cybersecurity risk management program and supervise both the internal cybersecurity personnel and external cybersecurity consultants. Vornado’s Chief Information Officer has many years of experience leading cybersecurity oversight and overall has broad, extensive experience with information technology, including security, auditing, compliance, systems and programming. The management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by Vornado; and alerts and reports produced by security tools deployed in the IT environment. Our cybersecurity incident response plan governs our assessment and response upon the occurrence of a material cybersecurity incident, including the process for informing senior management and our Board of Directors . 21
ITEM 1C. CYBERSECURITY Risk Management and Strategy Our comprehensive risk management strategy for the assessment, identification and management of material risks stemming from cybersecurity threats is aligned with Vornado’s strategy as the Company’s manager, which involves a systematic evaluation of potential threats, vulnerabilities, and their potential impacts on our organization’s operations, data, and systems. Our manager’s cybersecurity risk management program, which is subject to our oversight, is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program, including legal, compliance, strategic, operational, and financial risk areas. The cybersecurity risk management program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and broader enterprise IT environment; - A team principally responsible for managing our (i) cybersecurity risk assessment processes, (ii) security controls and (iii) response to cybersecurity incidents; - The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of security controls; - Cybersecurity awareness training for users and senior management, including through the use of third-party providers for regular mandatory trainings; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - A risk management process for third-party service providers, suppliers and vendors, which includes a rigorous vetting process and ongoing monitoring mechanisms designed to ensure their compliance with cybersecurity standards. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business, results of operations, or financial condition . Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee oversees the implementation of the cybersecurity risk management program. The Committee receives periodic reports from management on potential cybersecurity risks and threats and receives presentations on cybersecurity topics from Vornado and its Chief Information Officer . The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The full Board of Directors also receives briefings from management on the cybersecurity risk management program as needed. Management, along with Vornado, is responsible for assessing and managing our material risks from cybersecurity threats. Management and Vornado have primary responsibility for our overall cybersecurity risk management program and supervise both the internal cybersecurity personnel and external cybersecurity consultants. Vornado’s Chief Information Officer has many years of experience leading cybersecurity oversight and overall has broad, extensive experience with information technology, including security, auditing, compliance, systems and programming. The management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by Vornado; and alerts and reports produced by security tools deployed in the IT environment. Our cybersecurity incident response plan governs our assessment and response upon the occurrence of a material cybersecurity incident, including the process for informing senior management and our Board of Directors . 21

Company Information