Kyle Bolden, partner at EY, participated in a video interview in conjunction with Nareit’s REITworks: 2022 Conference in La Quinta, California, on Sept. 12-13.
Bolden discussed five key points of the SEC’s proposed cybersecurity disclosures: once a cyber incident is deemed material, disclosing within four business days; determining if, in the aggregate, multiple cyber breaches are material; disclosing if the company has a chief information security officer and who they report to; disclosing which board members have cybersecurity expertise; and assessing materiality from a reasonable investor’s perspective both quantitatively and qualitatively.
“The aggregation criteria will be a bit of a challenge because registrants may have concluded that a previously undisclosed cyber incident was not material—but then with the aggregation, they may conclude that, in the aggregate, they are material,” Bolden added.
Turning to what he sees his REIT clients proactively implementing to stay ahead of cybercrimes, Bolden said cybersecurity program assessments, multi-factor authentication, and workforce education are among the leading practices.
“Additionally, we’re seeing some of our REIT clients do simulations,” he added. “And then to basically determine how you’d respond in a live breach.”
Bolden noted other risks that should be top of mind for REITs include: human capital, including attracting, training, and retaining talent; mentoring; and DEI best practices, including examining the resiliency and diversity of the company’s supply chain.