BRANDYWINE OPERATING PARTNERSHIP, L.P. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

BRANDYWINE OPERATING PARTNERSHIP, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 18:55:41 EST.

Filings

10-K filed on 2025-02-26

BRANDYWINE OPERATING PARTNERSHIP, L.P. filed a 10-K at 2025-02-26 18:55:41 EST
Accession Number: 0000790816-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our information management and communication systems and networks, and related platforms and applications, are integral to the operation of our business. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Managing Material Risks & Integrated Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to facilitate a company-wide awareness of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our information security processes are designed to manage material risks from cybersecurity threats to our information systems and maintain the confidentiality, integrity and availability of our data. 24 We have also implemented a training program for employees that includes both proactive education modules, as well as reactive anti-phishing and testing modules designed to test the end-user’s ability to put what they learned into practice. Engage Third-parties on Risk Management We engage external experts, including cybersecurity assessors and consultants, in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain consistent with industry best practices. These third-parties have performed threat assessments, and consultation on security enhancements and evolving best practices. Oversee Third-party Risk To address risks associated with third-party service providers, we review and assess the cybersecurity controls of our third-party service providers and vendors, as appropriate, and make changes to our business processes to manage these risks. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties. Risks from Cybersecurity Threats We have not experienced a cybersecurity threat or cybersecurity incident in the past three years that has materially adversely affected our results of operations or financial condition. However, we face risks associated with breaches of our information technology systems, including through cyber-attacks and cyber intrusions, which could result in significant disruptions of our information technology systems (and those of third parties which we use), and unauthorized access to our information and information of our tenants and personnel. As we previously disclosed, on May 1, 2024, we detected unauthorized occurrences by a third party on portions of our information technology systems. Upon detecting the unauthorized occurrences, we promptly initiated our previously established response protocols and took steps to contain and remediate the incident. As part of our remediation activities, we strengthened our surveillance of cybersecurity threats and our information backup systems. A substantial portion of our direct costs incurred relating to containing, investigating and remediating the cybersecurity incident were reimbursed through insurance recoveries. As of the date of this Annual Report on Form 10-K, the cybersecurity incident has not had a material impact on our financial condition or results of operations, and we do not believe the cybersecurity incident is reasonably likely to materially impact our financial condition or results of operations. Refer to “Item 1A. Risk Factors” in this Form 10-K, including “We have experienced, and may again experience, data security breach that may cause damage to our business and reputation,” for additional discussion about cybersecurity-related risks. Governance and Oversight Management’s Role Managing Risk All Cybersecurity threats are reported to the Chief Technology and Innovation Officer (the “CTIO”) , who promptly informs the General Counsel, Chief Financial Officer and other senior management officers of any cybersecurity incident or material cybersecurity threat. In the event of a cybersecurity incident, management is equipped with a comprehensive cybersecurity incident and breach management policy that addresses investigation, remediation, notification, communication and reporting. The cybersecurity incident and breach management policy prescribes actions to respond to the immediate cybersecurity incident as well as strategies intended to prevent future incidents. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CTIO, Mr. Jim Kurek. With over 20 years of experience in technology across multiple verticals, his expertise includes all facets of information technology including cyber security, infrastructure and operations, digital transformation, and data analytics. Mr. Kurek brings a wealth of expertise to his role. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Board of Trustee Oversight Our Board of Trustees recognizes the critical need to manage cybersecurity risks. The Board has established oversight mechanisms to enhance effective governance in managing risks associated with cybersecurity threats. The Audit Committee , comprised of board members with diverse experiences and expertise, is central to the Board’s oversight of management’s governance and management of cybersecurity risks and strategies. 25 At least once each quarter, the CTIO provides reports to the Audit Committee, which include reports on any documented incidents or violations of our IT and security policies and an update on cybersecurity practices and matters. Documented incidents or violations are discussed, and managers are notified for the appropriate follow-up with our human resources department or the employees involved in such incidents or violations, as needed. Our Audit Committee regularly reviews with senior management our information technology and security policies and controls to address new and novel threats to our systems. Additionally, the CTIO provides comprehensive briefings to the Board annually. These briefings include a review and discussion of (i) our cybersecurity, data privacy and other information technology risks and related risk management strategies, policies and procedures to protect our business systems and information, and (ii) strategies, policies and procedures to respond to potential security breach incidents, including communications plans and disaster recovery procedures.

Company Information