American Homes 4 Rent - (AMH)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
We believe that having a strong cybersecurity program, including robust risk management and oversight procedures, is critical to our business success. We are committed to implementing leading data protection standards, and have a comprehensive set of written policies and standards that follow the guidance of the industry standard cybersecurity frameworks.
20
Management and Board Oversight
We have a dedicated cybersecurity team led by our Vice President of Information Security (“CISO”), who reports directly to our Chief Technology Officer (“CTO”). Our CISO has more than 10 years of experience in cybersecurity and IT compliance, is a member of InfraGard, a national non-profit organization serving as a public-partnership between U.S. businesses and the Federal Bureau of Investigation, and is a member of the Cal Poly Pomona Cyber Security Advisory Council. He has also obtained the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), and Certified Chief Information Security Professional (CCISO). Our CTO has over two decades of experience in establishing, administering, and enhancing effective cybersecurity programs for multiple publicly-traded companies. Our CTO and CISO conduct quarterly cybersecurity reviews for our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), and Chief Legal Officer (“CLO”). Our CISO reports to our CTO, who reports to our CFO.
In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, including systems provided by third party service providers, we utilize a regularly updated incident response plan that was developed taking into account a recognized third party cybersecurity framework. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the team is generally led by the CISO or another member of the dedicated cybersecurity team, and will include other information technology and legal personnel. The incident response team regularly reports to senior management, including the CEO, CFO, COO and CLO in the event of a potentially significant cybersecurity incident. The CISO or another member of the incident response team also reports to the Company’s Disclosure Committee, which makes determinations regarding SEC reporting obligations related to the cybersecurity incident and consists of senior officers in the operations, finance, and legal functions. The Disclosure Committee also consults with the chair of the Audit Committee of the board of trustees in making determinations regarding applicable SEC reporting requirements.
The board of trustees considers cybersecurity as part of its broader consideration of business strategy and risk management. Our board of trustees has delegated to the Audit Committee the responsibility of overseeing the Company’s risk management program, including the company’s risk assessment, risk management and risk mitigation policies and programs. A key part of this responsibility is overseeing the Company’s cybersecurity program. The Audit Committee, which consists solely of independent trustees and whose chair has information security experience, receives quarterly updates with respect to the cybersecurity program, addressing topics such as current threat levels, program enhancements and vulnerability testing. The Audit Committee oversees our compliance with industry standard cybersecurity frameworks, our cybersecurity insurance coverage, cybersecurity-related internal controls, cybersecurity training provided to company personnel, penetration testing, incident response plan updates, and our business continuity plan. The Audit Committee also periodically evaluates our cyber strategy to ensure its effectiveness, including benchmarking against our peers. The Audit Committee provides regular briefings to the full board of trustees with respect to the Company’s cybersecurity program. Additionally, we provide an annual update on the cybersecurity program to the full board of trustees, which has included our CTO and third-party cybersecurity experts in recent years.
As part of our board refreshment efforts in recent years we have focused on adding trustees with cybersecurity risk management experience. Currently four members of our board of trustees have information security experience.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our cybersecurity program has four components: (1) prevention and preparation, (2) detection and analysis, (3) containment, eradication, recovery, and reporting, and (4) post-incident analysis and program enhancements.
Prevention and Preparation
We undertake regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and we implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts we engage a third-party to conduct an external review of our vulnerabilities at least annually. We continue to strengthen our authentication mechanisms including broad adoption of multi-factor authentication and geolocation-based blocking. To support our preparedness, we perform a tabletop exercise at least once a year to test our incident response procedures.
We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is employee training on our data privacy and cyber security procedures. For example, all new hires receive mandatory privacy and information security training. In addition, current employees must complete mandatory annual
21
cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related testing that we conduct throughout the year.
We also recognize that third-parties that provide information systems we use can be subject to cybersecurity incidents that could impact us. To mitigate third party risk, we maintain a Vendor Integrity Code, which is designed to require our third-party vendors to comply with our requirements for maintenance of passwords, as well as other confidentiality, security, and privacy procedures. Third-party IT vendors are also subject to additional diligence such as questionnaires, inquiries, and review of System and Organization Controls (SOC) 1 and 2 reports, when relevant.
Detection and Analysis
We have implemented controls aligned with industry guidelines and applicable statutes and regulations to identify threats, detect attacks and protect the integrity of our information assets. Our cybersecurity team, with the assistance of an outside cybersecurity firm, continuously monitors for threats to keep our systems secure. Cybersecurity incidents may also be detected through a variety of means, which may include, but are not limited to, employee notification to our IT service center, notification from external parties (e.g., customers, vendors, or service providers), and automated event-detection notifications. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response team designated pursuant to the incident response plan follows the procedures set forth in the plan to investigate the potential incident, including classifying the nature of the event (e.g. ransomware, personal data breach, intellectual property breach, theft or fraud) and assessing the severity of the event and sensitivity of any compromised data according to preset criteria. Potentially significant cybersecurity incidents are escalated to the Disclosure Committee, which makes determinations regarding SEC reporting obligations related to the cybersecurity incident.
Containment, Eradication, Recovery, and Reporting
With every cybersecurity incident, the highest priority of the incident response team is to contain the cybersecurity incident as quickly as possible. A cybersecurity incident is considered contained when no additional harm can be caused and the focus shifts to remediation. The incident response team executes our incident response plan to respond to the cybersecurity incident and coordinate resources and communication protocols.
The incident response team also directs and coordinates eradication and recovery efforts. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, increased network monitoring or logging to identify recurring attacks, or employee re-training, among other things. We have also retained an outside cybersecurity firm which would assist with containment, eradication, and recovery efforts, as needed.
Further, the Company also maintains cyber risk insurance to provide some coverage for certain risks arising out of data and network breaches, and the Audit Committee annually reviews such coverage.
The Company’s incident response plan provides clear communication protocols, including with respect to members of senior management, including the CEO, CFO, COO and CLO, the Audit Committee, internal and external counsel, particularly with respect to legal obligations to report the incident to tenants, regulators and law enforcements, and to the Disclosure Committee and external counsel with respect to the Company’s SEC reporting obligations.
Post-Incident Activity
After recovery, the Company performs a review of the incident to identify and implement enhancements to the cybersecurity program that can mitigate the risk or severity of future incidents. The CISO generally oversees the implementation of enhancements identified through these reviews with oversight by senior management and the Audit Committee as appropriate.
Cybersecurity Risks
As of December 31, 2023, we are not aware of any material cybersecurity incidents. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams that we are able to prevent or sufficiently mitigate harm from. Although we make efforts to maintain the security and integrity of our networks and systems, and the proprietary, confidential and personal information that resides on or is transmitted through them, and we have implemented various cybersecurity policies and procedures to manage the risk of a security incident or disruption, there can be no assurance that our security efforts and measures will be effective or that attempted security incidents or disruptions would not be successful or damaging. In addition, although the Company maintains cyber risk insurance to provide some coverage for certain risks arising out of data and network breaches, there can
22
be no assurance that our cyber risk insurance coverage will be sufficient in the event of a cyber-attack. See “Risk Factors–Risks Related to our Business–If our confidential information is compromised or corrupted, including as a result of a cybersecurity incident, our business operations and reputation could be damaged, which could adversely affect our financial condition and operating results.”