Kite Realty Group, L.P. 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 12, 2025

Kite Realty Group, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 16:45:38 EST.

Filings

10-K filed on 2025-02-12

Kite Realty Group, L.P. filed a 10-K at 2025-02-12 16:45:38 EST
Accession Number: 0001286043-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management Process The Company relies extensively on IT systems to operate and manage its business and process transactions. As a result, our business is at risk from, and may be impacted by, cybersecurity incidents. The Company’s cybersecurity risk management program leverages the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, which is used to benchmark and tailor the Company’s strategies and program to our risk profile and specific operational needs and goals. As risk management is an ongoing process, the Company regularly assesses its cybersecurity risks and adjusts its program accordingly. Via multiple monitoring solutions, potential cyber threats are automatically logged and proactively addressed. Our monitoring tools use well-established vulnerability scoring to aid in the overall risk assessment. The scoring ranks by potential severity and likelihood and includes a review of mitigating factors. The Company prioritizes its cybersecurity investments based on the likelihood and impact of potential threats. We recognize that cybercriminals frequently target employees to gain unauthorized access to information systems. Therefore, from onboarding and at least annually thereafter, the Company educates and trains its employees on cybersecurity leading practices using a variety of methods, which is supplemented throughout the year with regular phishing and other cyber-related testing. The Company regularly performs internal and external penetration testing and vulnerability scanning with the support of well-established third-party providers. Identified deficiencies or vulnerabilities are reviewed by the IT staff and management, and remediation steps are taken based on the criticality of the results. Cybersecurity tools and services are configured to identify threats and risks that may be associated with the use of third-party applications or solutions. We prioritize our cybersecurity efforts relating to third parties based on the likelihood and potential impact of cybersecurity threats. These efforts may include reviewing security documentation or protocols of key vendors, service providers, and external users of our systems. The Company has developed cybersecurity incident response plans to contain, investigate, respond to, and recover from cybersecurity incidents that may jeopardize the confidentiality, integrity, or availability of our IT systems. Key members of management, including the Company’s Chief Financial Officer, Chief Operating Officer, and Chief Legal Officer, as well as employees from IT, internal audit, marketing and communications, and human resources, serve on the Company’s security incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. Our response plans require prompt notification to members of senior management in the event of a significant cybersecurity incident and prompt briefings on further developments as appropriate. Risks And Impact From Cybersecurity Threats As of December 31, 2024, we are not aware of any risks from cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents. For more information regarding our cybersecurity risks, see “We and our tenants face risks related to cyber attacks that could cause loss of confidential information and other business disruptions” in Item 1A. " Risk Factors " within this Annual Report on Form 10-K. Board of Trustees Oversight Our Board of Trustees oversees various risks that the Company may face from time to time. While the full Board of Trustees has primary responsibility for risk oversight, it has delegated to the Audit Committee the responsibility for overseeing the Company’s enterprise risk management and risk mitigation policies and programs, including matters related to privacy and cybersecurity. The Audit Committee reviews the Company’s cybersecurity risks and the effectiveness of its cybersecurity program every quarter, including current threat levels and ongoing program enhancements. Reports on these topics are provided to the Audit Committee by the Vice President, Chief Information Security Officer (“CISO”) and the Vice President, Internal Audit and Enterprise Risk Management on a quarterly basis. In addition, when appropriate, cybersecurity risks and incidents will be reported to the Board of Trustees by the Company’s Chief Financial Officer. Management’s Role The Company’s management team is responsible for implementing and managing the Company’s cybersecurity risk management program. The management team regularly reviews the Company’s cybersecurity risks and adjusts the program as needed. Risk data analyzed includes summary and detailed data from monitoring and protection systems along with remediation reports to help ensure the constant evolution of the program. Key members of the IT team responsible for information security include several individuals with over 20 years of experience within various industries, including real estate, global retail, fintech, and insurance, along with experience working for several top IT service and solutions providers. The IT team provides quarterly reports to the Company’s senior management, which typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics, business response plans, and the evolving cybersecurity threat landscape. The Company has cybersecurity insurance designed to cover certain expenses related to cybersecurity incidents. The Company also carries other insurance that may cover ancillary aspects of a cybersecurity incident; however, damage and claims arising from a cybersecurity incident may exceed the amount of any insurance available.

Company Information