Page last updated on March 3, 2025
CBL & ASSOCIATES PROPERTIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 14:37:30 EST.
Filings
10-K filed on 2025-03-03
CBL & ASSOCIATES PROPERTIES INC filed a 10-K at 2025-03-03 14:37:30 EST
Accession Number: 0000950170-25-030677
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY We face risks associated with security breaches through cyberattacks, cyberintrusions or otherwise, and other significant disruptions of information technology networks and related systems. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. However, we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Refer to Risk Factors in Part I, Item 1A for a disclosure of our cybersecurity risks. We continue to monitor cybersecurity risks to prevent and mitigate materially negative impacts on the Company’s reputation, financial performance, customer or vendor relationships and potential litigation or regulatory investigations or actions. Governance As part of its regular oversight of risk management, our audit committee is responsible for the oversight of cybersecurity risk and threat mitigation related to our information technology and information systems including protection 26 and security of employee and customer data. Our Senior Vice President - Technology Solutions is responsible for the day-to-day management of our cybersecurity program and reports directly to our President . Our Senior Vice President - Technology Solutions has served in this role for over four years and has more than 25 years of experience in the aggregate, including more than ten years with the Company, in various information technology roles. Our audit committee is responsible for overseeing cybersecurity risks, and our management team reports to our audit committee on the Company’s cybersecurity program, current cybersecurity projects and industry trends and efforts to mitigate cybersecurity risk on at least a semi-annual basis. Cybersecurity Risk Management and Strategy We have designed and implemented a comprehensive program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We designed this program based on the National Institute of Standards and Technology cybersecurity framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. We monitor and regularly assess our cybersecurity risks and adjust our program accordingly. We maintain a cybersecurity incident response plan which outlines our response and action in the event of a major cybersecurity incident. The cybersecurity incident response plan sets forth a process for detecting and responding to cybersecurity incidents, determining their scope and risk, developing an appropriate response to mitigate and remediate the incident, communicating effectively to varying levels and personnel within the Company depending on the severity of the threat, effectively communicating to stakeholders and participants and reducing the likelihood of similar future incidents. In the event of a real or perceived cybersecurity incident, the Senior Vice President - Technology Solutions would, as soon as practicable, inform the Cybersecurity Incident Response Team, the members of which would then collaborate with the Senior Vice President - Technology Solutions to manage material risks. We have adopted and require employees to abide by our personally identifiable information policy to help protect personal employee, vendor and tenant information. Employees are required to complete regular cybersecurity training and education annually, which is followed-up with quarterly testing and re-training, as necessary. We contract with an independent cybersecurity provider to perform an annual cybersecurity risk and vulnerability assessment . We regularly test areas of potential vulnerability, utilizing penetration testing, ransomware-focused disaster recovery tests as well as testing exercises for other higher risk areas. We conduct annual reviews of third-party hosted applications where sensitive Company data is shared. Additionally, cybersecurity tools and services are configured to identify threats and risks that may be associated with the use of third-party applications or solutions. We maintain cybersecurity risk insurance coverage; however, there is no assurance that the insurance the Company maintains will cover all cybersecurity breaches or that policy limits will be sufficient to cover all related losses.
Company Information
| Name | CBL & ASSOCIATES PROPERTIES INC |
| CIK | 0000910612 |
| SIC Description | Real Estate Investment Trusts |
| Ticker | CBL - NYSE |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 30 |