Brixmor Operating Partnership LP 10-K Cybersecurity GRC - 2025-02-10

Page last updated on February 10, 2025

Brixmor Operating Partnership LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-10 16:06:29 EST.

Filings

10-K filed on 2025-02-10

Brixmor Operating Partnership LP filed a 10-K at 2025-02-10 16:06:29 EST
Accession Number: 0001581068-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C . Cybersecurity Given the critical importance of cybersecurity, including data privacy, we have developed a cybersecurity program, supported by risk management and oversight procedures. The cybersecurity program includes written policies and standards that take into account the guidance of well-recognized industry cybersecurity frameworks. Management and Board Oversight We have dedicated cybersecurity resources led by our Chief Information Officer (“CIO”) , who regularly provides reports on cybersecurity to our executive officers, including the CEO and CFO. Our CIO has significant experience in the cybersecurity and IT fields and holds multiple degrees, including a Bachelor of Science in Information Science and a Master of Business Administration. Additionally, our CIO is a Certified Information Security Manager. We have developed a cybersecurity incident response plan (“CSIRP”) for cybersecurity incidents that may jeopardize the confidentiality, integrity, or availability of our IT systems. Our CSIRP guides the internal response to cybersecurity incidents, following a process consistent with well-recognized industry cybersecurity frameworks. Pursuant to the CSIRP and its escalation protocols, we engage the incident response team (“IRT”), which includes designated personnel responsible for: (1) analyzing the severity of the incident and associated threat; (2) notifying management of the threat; (3) containing the threat; (4) eradicating the threat; (5) restoring data and access to systems; (6) working with management to determine the reporting and disclosure obligations associated with the incident; and (7) performing post-incident analysis and improvements. The IRT is led by an incident response coordinator, which in the event of a cybersecurity incident would generally be the CIO, and includes members of our IT resources, risk management, legal, communications, finance, and accounting teams, in addition to any other personnel depending on the particular facts and circumstances of the incident. We consider cybersecurity as part of our broader consideration of business strategy and enterprise risk management. Our board of directors has delegated to the Audit Committee the responsibility of overseeing our risk management program, including for the cybersecurity program. The Audit Committee receives quarterly updates from our CIO with respect to the cybersecurity program. As part of its oversight, the Audit Committee may, for example, receive updates regarding assessments of our alignment with certain industry cybersecurity frameworks, our cybersecurity insurance coverage, cybersecurity-related internal controls, results of penetration testing, revisions to the CSIRP, business continuity plans, and threat assessments. Processes for Assessing, Identifying, and Managing Material Risks from Cybersecurity Threats Our cybersecurity program has four components: (1) preparation and prevention; (2) detection and analysis; (3) incident response including containment, eradication, recovery, and reporting; and (4) post-incident analysis and program enhancements. 15 Preparation and Prevention We utilize a variety of tools, processes, software, and hardware that are managed and monitored by our IT resources including third-party vendors, as applicable, to prevent and prepare for cybersecurity threats. We conduct regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and we implement business continuity, contingency, and recovery plans to mitigate the impact of an incident. As part of these efforts, we engage a third party to conduct periodic penetration testing and an external review of our vulnerabilities. We continue to strengthen access management mechanisms including broad adoption of multi-factor authentication, geolocation-based blocking, and network segmentation. To support our preparedness, we perform tabletop exercises at least once a year to test our CSIRP. We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is training employees to recognize and respond to cybersecurity threats. All new hires receive mandatory privacy and information security training. Employees must also complete mandatory ongoing annual cybersecurity and data trainings, which are supplemented throughout the year by regular phishing and other cyber-related awareness activities. Additionally, we conduct specialized training for our high-risk employees on an annual basis and specialized training for employees with access to certain sensitive information systems. These trainings and tests are tracked throughout the year for each employee and are directly tied to their overall compensation. We recognize that our third-party vendors can be subject to cybersecurity incidents which may impact us. To mitigate third-party risk, vendor access to our network resources is reviewed, authorized, and monitored for appropriateness. Third-party IT vendors that are determined to present a higher risk are also subject to additional diligence such as questionnaires, inquiries, and relevant certifications. Detection and Analysis Cybersecurity incidents may be detected through a variety of means and indicators, which may include, but are not limited to, alerts from customers, employees, vendors, service providers, other third parties, and/or automated event-detection notifications. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response coordinator follows the procedures pursuant to the CSIRP to investigate the potential incident, including classifying the nature and severity of the event. Containment, Eradication, Recovery, and Reporting The IRT is responsible for deciding on a containment strategy to respond to the cybersecurity incident, coordinating resources, and communicating to management with subsequent notification to the Audit Committee, if warranted. The IRT also directs and coordinates eradication and recovery efforts. Eradication and recovery activities depend on the nature of the cybersecurity incident, which may include, but are not limited to, rebuilding systems and/or hosts, replacing compromised files with clean versions, or validation of files or data that may have been affected. Containment, eradication, and recovery may be aided by third-party vendors or investigators. Our CSIRP provides clear communication protocols, including with respect to members of management, which may include, depending on the incident’s classification and other circumstances, members of the IRT, CEO, CFO, CIO, General Counsel, Audit Committee, and external counsel. In addition, the CSIRP considers communications and reporting to tenants, regulators, and law enforcement. Post-Incident Activity After recovery, the IRT conducts a post-incident analysis to identify potential enhancements to the cybersecurity program that can mitigate the risk and/or severity of future incidents. The results of these reviews are shared with management and the Audit Committee. Cybersecurity Risks As of December 31, 2024, we have not had any known instances of material cybersecurity incidents. However, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See “We and our tenants face risks relating to cybersecurity attacks that could cause the loss of confidential information or other business disruptions” in Item 1A. “Risk Factors” for further information relating to cybersecurity risks. 16

Company Information