UMH PROPERTIES, INC. - (UMH)
10-K Filing Date: February 28, 2024
The Company’s Board of Directors (the “Board”) and its Cybersecurity Subcommittee are responsible for overseeing the Company’s risk management program and cybersecurity is a critical element of this program. Management is responsible for the day-to-day administration of the Company’s risk management program and its cybersecurity policies, processes, and practices. The Company’s cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards and are fully integrated into the Company’s overall risk management system and processes. In general, the Company seeks to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity, and availability of the Company’s information systems or the information that the Company collects and stores, by assessing, identifying and managing cybersecurity issues as they occur.
-24- |
Cybersecurity Risk Management and Strategy
The Company’s cybersecurity risk management strategy focuses on several areas:
● | Identification and Reporting: The Company has implemented a comprehensive, cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. The Company’s program includes controls and procedures to properly identify, classify and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents in a timely manner. |
● | Technical Safeguards: The Company implements technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats. The company uses a managed antivirus platform and mobile device management on all company devices to scan for viruses, manage patching and updates, and provide remote support and monitoring tools. Firewalls, web filtration, network intrusion prevention measures, monitoring nodes, and network access controls are evaluated annually and improved through vulnerability assessments. All company accounts have strong passwords, two factor authentication, and domain authentication enforced. The IT Department researches emerging cybersecurity threats and keeps employees informed on the best security practices. |
● | Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response, business continuity, and disaster recovery plans designed to address the Company’s response to a cybersecurity incident. The Company conducts regular tabletop exercises to test these plans and ensure personnel are familiar with their roles in a response scenario. |
● | Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including vendors, service providers, and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems, including any outside auditors or consultants who advise on the Company’s cybersecurity systems. |
● | Education and Awareness: The Company provides regular, mandatory training for all levels of employees regarding cybersecurity threats as a means to equip the Company’s employees with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices. |
The Company conducts periodic assessment and testing of the Company’s policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events. The Company conducts quarterly reviews of backup logs, access privileges, financial transactions, and application updates. Backups are tested for integrity and functionality. The company regularly conducts seminars on the rollout of new applications and features for employees, as well as administering phishing testing and security awareness training. Penetration testing is conducted annually to verify the integrity of the Company’s network security. The results of such assessments, audits, and reviews are evaluated by management and reported to the Cybersecurity Subcommittee and the Board, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.
Governance
The Board, in coordination with the Cybersecurity Subcommittee, oversees the Company’s risk management program, including the management of cybersecurity threats. The Board and the Cybersecurity Subcommittee each receive regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by the Company’s peers and third parties. The Board and the Cybersecurity Subcommittee also receive prompt and timely information regarding any cybersecurity risk that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk. On an annual basis, the Board and the Cybersecurity Subcommittee discuss the Company’s approach to overseeing cybersecurity threats with the Company’s IT Department and members of senior management.
-25- |
The IT Department, in coordination with members of senior management including the Executive Vice President, Chief Financial Officer and Treasurer, the Executive Vice President and Chief Operating Officer and the Executive Vice President, General Counsel and Secretary, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity program, cross-functional teams throughout the Company address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the IT Department and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Cybersecurity Subcommittee when appropriate.
The members of the IT Department have served in various roles in information technology and information security for over 5 years. The IT Systems Administrator has experience in monitoring arising security threats, creating documented cybersecurity and technology usage policies, and bringing companies into compliance with cybersecurity regulations. The IT Systems Administrator has been certified in Network Administration and Security, Systems Administration, and Database Vulnerability Assessment via Cisco and IBM. The Company’s IT Technician has been certified via the committee on National Security Systems and National Security Agency as an Information Systems Security Professional.
Material Effects of Cybersecurity Incidents
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.