Our international operations had included properties in Mexico and Canada and are subject to a variety of United States and foreign laws and regulations, including the United States Foreign Corrupt Practices Act and foreign tax laws and regulations. Although we have completed our efforts to exit our investments in Mexico and Canada, we cannot assure you that our past practices will continue to be found to be in compliance with such laws or regulations. In addition, we cannot predict the manner in which such laws or regulations might be administered or interpreted, or when, or the potential that we may face regulatory sanctions or tax audits as a result of our former international operations.
Cybersecurity attacks and incidents could materially impact our business, financial condition and results of operations.
Our information technology (“IT”) networks and related systems are essential to the operation of our business and our ability to perform day-to-day operations and, in some cases, may be critical to the operations of certain of our tenants. While we maintain some of our own critical IT networks and related systems, we also depend on third parties to provide important software, technologies, tools and a broad array of services and operational functions, including payroll, human resources, electronic communications and finance functions. In the ordinary course of our business, we and our third-party service providers collect, process, transmit and store sensitive information and data, including intellectual property, our proprietary business information and that of our customers, suppliers and business partners, as well as personally identifiable information.
We, and our third-party service providers, like all businesses, are subject to cyberattacks and security incidents that threaten the confidentiality, integrity, and availability of our IT systems and information resources. Cyberattacks and security incidents include intentional or unintentional acts by employees, customers, contractors or third parties, who seek to gain unauthorized access to our or our service providers’ systems to disrupt operations, corrupt data, or steal confidential or personal information through malware, computer viruses, ransomware, software or hardware vulnerabilities, social engineering (e.g., phishing attachments to e-mails) or other vectors.
Cyberattacks are becoming more challenging to identify, investigate and remediate, because attackers increasingly use techniques and tools, including artificial intelligence, that circumvent controls, avoid detection, and remove or obscure forensic evidence, including as a result of the intensification of state-sponsored cybersecurity attacks during periods of geopolitical conflict. There can be no assurance that our cybersecurity risk management program, security controls and security processes, or those of our third-party service providers will be fully implemented, complied with, or effective or that security breaches or disruptions will not materially impact our business. For example, scanning tools deployed in our IT environment allows us to identify and track certain known security vulnerabilities, but we cannot guarantee that patches or mitigating measures will be applied before vulnerabilities can be exploited by a threat actor.
We have experienced cybersecurity incidents that to date have not resulted in, and are not expected to result in, a material impact on the Company’s business operations or financial results. For example, we are regularly subject to phishing attempts, certain of our third-party service providers have experienced incidents, and in February 2023, the Company experienced a criminal ransomware attack affecting data contained on legacy servers of Weingarten Realty Investors (“WRI”), which the Company acquired in August 2021. Although none of these incidents materially impacted the Company, we cannot guarantee that material incidents will not occur in the future. Moreover, we have acquired in the past and may acquire in the future companies with cybersecurity vulnerabilities or unsophisticated security measures, which could expose us to significant cybersecurity, operational, and financial risks.
A cyber incident could materially affect our operations and financial condition by:
•disrupting the proper functioning of our networks and systems and, therefore, our operations and/or those of certain of our tenants;
•resulting in misstated financial reports, violations of loan covenants and/or missed reporting deadlines;
•resulting in our inability to properly monitor our compliance with the rules and regulations regarding our qualification as a REIT;
•resulting in the unauthorized access to, and destruction, loss, theft, misappropriation or release of proprietary, confidential, sensitive or otherwise valuable information of ours or others, which others could use to compete against us or for disruptive, destructive or otherwise harmful purposes and outcomes;
•resulting in our inability to maintain the building systems relied upon by our tenants for the efficient use of their leased space;
•requiring significant management attention and resources to remediate systems, fulfill compliance requirements and/or to remedy any damages that result;
•subjecting us to regulatory enforcement, including investigative costs and fines or penalties;
•subjecting us to litigation claims for negligence, breach of contract or other agreements or other causes of action, potentially resulting in remedies such as damages, credits, penalties or termination of leases or other agreements; or
•damaging our reputation among our tenants, investors and associates.
In addition, federal and state governments and agencies have enacted, and continue to develop, broad data protection legislation, regulations, and guidance that require companies to increasingly implement, monitor and enforce reasonable cybersecurity measures.
