Extra Space Storage Inc. - (EXR)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Company has a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, which includes a cybersecurity Incident Response Plan ("IRP"). Our
17



cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Cybersecurity Risk Identification and Management
We design and assess our program based on the Center for Internet Security Critical Security Controls Version 8 (CIS V8). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS V8 controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program includes:

third party risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
end-user testing to assess the effectiveness of our security measures;
cybersecurity awareness training of our employees, incident response personnel, and senior management, including mandatory computer-based training, phishing awareness campaigns, and internal communications;
a cybersecurity IRP that includes procedures designed for identifying, analyzing, containing, remedying and otherwise responding to cybersecurity incidents;
testing of our incident response readiness through Disaster Recovery and Business Continuity Plan exercises; and
a third-party risk management process for service providers, suppliers, and vendors who have access to our critical systems and information.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information, see the section titled "Risk Factor-Risks Related to Our Stores and Operations-We and our vendors rely on information technology, and any material failure, inadequacy, interruption or security incident affecting that technology could harm our business, results of operations and financial condition."
Our management team, including our Senior Vice President of Information Systems and Vice President of Information Security and Compliance, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team overseeing cybersecurity has over 25+ years of technology and cybersecurity experience and certain of our team hold various cybersecurity certifications, including the Certified Information Systems Security Professional (CISSP) certification.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
The Company is able to identify cybersecurity breaches through various channels, including but not limited to automated event detection alerts, reports from employees, notifications from external entities such as third-party IT service providers, and proactive threat investigations in collaboration with our external partners. Upon spotting a potential cybersecurity breach, including those involving third-party cyber events, the Company’s designated incident response team outlined in the IRP adheres to the policy's protocols to investigate the suspected incident. This investigation entails determining the nature of the event (e.g., ransomware attack or breach of personal data), evaluating the severity of the incident, and gauging the sensitivity of any compromised data.
In the event of a cybersecurity breach, our primary objective is to swiftly contain it by the procedures detailed in our IRP. Once containment is achieved, our focus shifts to remediation and recovery efforts. These actions are tailored to the specifics of the breach and may involve tasks such as rebuilding systems or hosts, replacing compromised files with clean versions, verifying the integrity of affected files or data, enhancing network surveillance or logging to detect future attacks, adjusting administrative account privileges, fortifying network security like firewall configurations, and providing additional training to
18



employees. Additionally, we carry cybersecurity insurance to cover certain expenses associated with security lapses and specified cyber incidents that disrupt our network or those of our vendors, subject to predefined limits and exclusions.
Our IRP includes clear communication guidelines, outlining procedures for engaging executive management, internal and external legal counsel, the Audit Committee, and the Board. These protocols also encompass a framework for evaluating our regulatory reporting obligations to entities such as the SEC in the aftermath of a cybersecurity incident.
Board Oversight of Cybersecurity
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program on a quarterly basis. Board members receive presentations on cybersecurity topics from our Senior Vice President of Information Systems as well as our Vice President of Information Security and Compliance, internal security staff or external experts as part of the Board’s continuing education on topics that impact public companies.
As part of our board refreshment efforts in recent years, we have added directors with information technology governance skills. Currently, five members of our board, including all four members of our Audit Committee, have cybersecurity experience from their principal occupation, other professional experience or third-party director education courses on cybersecurity, including cyber risk governance, and data privacy and security issues and trends.