National Storage Affiliates Trust - (NSA)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk management and strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures aligned to industry standards to safeguard our information systems and protect the confidentiality, integrity, and availability of our data.
Management of Material Risks & Integration into Overall Risk Management
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity awareness and risk management and have incorporated cybersecurity considerations into our decision-making processes. Our risk management team works closely with our IT department to identify, evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our risk management team also provides regular reporting to management on our enterprise cybersecurity risk posture.
Engagement of Third-parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage a range of external experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, so that we can better understand the current and evolving cybersecurity risks and strategies. Our collaboration with these third-parties includes periodic audits, threat assessments, and consultation on security enhancements.
Risks from Cybersecurity Threats
We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this annual report on Form 10-K, including “Security breaches through cyber-attacks, cyber-intrusions, or other methods could disrupt our information technology networks and related systems”, for additional discussion about cybersecurity-related risks.
30
Governance
The board of trustees is acutely aware of the critical nature of managing risks associated with cybersecurity threats and oversees the Company's cybersecurity risk management activities.
Board of Trustees Oversight
The audit committee of our board of trustees is central to the board of trustees’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The members of the audit committee have a variety of expertise, including financial, regulatory and risk management. The audit committee reviews our policies with respect to risk assessment and risk management related to cybersecurity. The audit committee and the board of trustees receive updates on the Company’s cybersecurity risks and initiatives periodically. In addition, cybersecurity matters are reported to the audit committee or board of trustees so that the board of trustees and audit committee can effectively carry out their oversight role.
Management’s Role Managing Risk
Our risk management committee is comprised of a cross section of the Company’s management team. The risk management committee has identified cybersecurity as a key risk to the Company’s operations and established a cybersecurity sub-committee, which is comprised of members of the risk management committee and other personnel, to focus on this key risk.
The cybersecurity sub-committee plays a pivotal role in informing the risk management committee on cybersecurity risks. They provide comprehensive briefings to the risk management committee on a regular basis. These briefings encompass a broad range of topics, including:
•Awareness of cybersecurity landscape, emerging threats, trends and developments;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events;
•Compliance with regulatory requirements and industry standards; and
•Education in cybersecurity and associated risk management frameworks.
The risk management committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are a consistent focus of the Company and that the Company's cybersecurity efforts are aligned with the overall risk management framework. We have also implemented cybersecurity training at all levels of our organization and conduct periodic phishing assessment for our employees to reinforce that training.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the cybersecurity sub-committee. With over a combined 45 years of experience in the field of cybersecurity, the cybersecurity sub-committee brings a wealth of expertise to their role. Their in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our cybersecurity sub-committee oversees our cybersecurity strategies, tests our compliance with standards, remediates known risks, and leads our employee training program.
Monitor Cybersecurity Incidents
The cybersecurity sub-committee stays apprised about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, which is important for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The cybersecurity sub-committee implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the cybersecurity sub-committee is equipped with a well-defined incident response plan, which provides a framework to mitigate the impact of cybersecurity incidents
31
The cybersecurity sub-committee regularly informs the risk management committee of matters related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the board of trustees, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.