Curbline Properties Corp. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

Curbline Properties Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:05:34 EST.

Filings

10-K filed on 2025-02-21

Curbline Properties Corp. filed a 10-K at 2025-02-21 16:05:34 EST
Accession Number: 0000950170-25-024834

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Information Technology and Cybersecurity Pursuant to the Shared Services Agreement, the Company depends on the proper functioning, availability and security of SITE Centers’ information systems, including financial, data processing, communications, and operating systems, as well as proprietary software programs that are important to the efficient operation of the business. The Company also utilizes software applications provided by third parties. SITE Centers grants limited access to its systems to third parties providing specific outsourced functions or other services and increasingly stores and transmits data using connected information technology or “cloud” systems. Any significant failures or disruptions of the critical information systems on which the Company relies, including ransomware attacks or other cyber incidents, that impact the availability or other proper functioning of these systems or that result in the compromise of sensitive or confidential information, including information of tenants, employees and others, could result in liability for the Company and have a significant impact on the Company’s operations and reputation. The Company’s internal audit team annually assesses and reviews the risks posed to the security of the networks used by the Company, including a review of system and process assurance for information technology and application controls, and takes into account certain frameworks and policies. The Company’s internal audit team also reviews the Company’s fraud assessment and confirms IT management’s oversight of its cybersecurity policies. The Company’s management team reviews the findings, if any, of these assessments, assesses the identified risks and takes action based on the Company’s risk profile. In order to assess the risks posed to the information systems by third-party service providers and vendors, the SITE Centers ’ information technology department, coordinating with the Company’s internal audit services team, evaluates and implements, as appropriate, new software and network application vendors’ contracts, internal policies, certifications and System and Organization Controls (“SOC”) reports during the procurement of solutions and services. To mitigate the risk and impact of any cybersecurity incidents on the security and availability of the networks on which the Company relies, the information technology systems are protected through physical and software safeguards and backup procedures the Company considers appropriate. SITE Centers contracts with independent cybersecurity providers for security event incident management, end-point detection and incident response monitoring, and security incident response services. Additionally, SITE Centers has deployed a layered approach to network intrusion detection and protection using technology provided by industry-leading companies. The SITE Centers’ information technology department also performs timely system and security updates to maintain current software versions and apply appropriate security updates aimed at reducing risk. SITE Centers has also implemented various safeguards designed to ensure the confidentiality, availability and the integrity of its network and data, including redundant telecommunication facilities, replicating critical data and backups to multiple off-site locations, a fire suppression system to protect SITE Centers’ on-site data center, and electrical power protection and generation facilities. SITE Centers also has a catastrophic disaster recovery plan and alternate processing capability available for its critical data processes in case of a catastrophe that renders the primary data center unusable. The Company and SITE Centers conduct annual cybersecurity awareness training for all employees, new-hire cybersecurity training, monthly simulated phishing tests, and additional training for specific departmental requirements as part of their respective risk mitigation efforts. SITE Centers also maintains cybersecurity insurance (of which the Company is an additional insured); however, there is no assurance that the insurance SITE Centers maintains will cover all cybersecurity breaches or that policy limits will be sufficient to cover all related losses. Under the leadership of the Company’s Chief Technology Officer, the SITE Centers ’ information technology department is primarily responsible for assessing and managing material risks to SITE Centers’ information systems, including from cybersecurity threats. The Company’s Chief Technology Officer has over 30 years’ experience working in information technology and managing information technology systems and holds several specialized security certifications, including the Certified Information Security Manager certification from the Information Systems Audit and Control Association. In addition, certain members of the SITE Centers information technology department have obtained specialized security certifications, including accreditation as Certified Information Systems Security Professionals, and have prior work experience in various roles involving technology and security. The Company has established an internal Security and Privacy Governance Committee, comprised of the Chief Technology Officer and other senior members of management that generally meets quarterly. This committee receives updates from the SITE Centers ’ information technology department with respect to the implementation of various systems and security measures, the Company’s cybersecurity training and awareness program, enhancements or modifications to the security program, and the impacts of such changes to the Company’s information security risk environment. The Company has adopted a Cybersecurity Incident Response Plan, which requires communication of cybersecurity incidents to varying levels and personnel within the organization depending on the severity of the threat impact and encompasses tactics related to cybersecurity, systems and facilities availability, and information privacy. 25 The Board of Directors has specifically delegated oversight of the Company’s cybersecurity risks and related practices to the Audit Committee of the Board of Directors (the “Audit Committee”) through the committee’s charter. At least annually, senior members of the Company’s information technology team (including the Chief Technology Officer) and internal audit services team brief the Audit Committee on information and cyber security matters, including results from risk assessments, the Company’s policies and its internal control function. The Audit Committee reviews such information alongside other company risks as part of our overall risk assessment. The Company has experienced risks from cybersecurity threats, including issues related to malware, email phishing, and other events intended to disrupt information systems, wrongfully obtain valuable information, or cause other malicious events. To the best of the Company’s knowledge, these threats have not materially affected the Company, nor have they materially obstructed the availability of the information systems and data on which it relies. Although no assurances can be given, the Company does not believe that such threats are reasonably likely to materially affect the Company in the future. See Item 1A. Risk Factors under the caption “Risks Related to the Company’s Business, Properties and Strategies- A disruption, failure or breach of the networks or systems on which the Company relies, including as a result of cyber-attacks, could harm its business.”

Company Information