AVALONBAY COMMUNITIES INC - (AVB)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management, Strategy and Governance
We have implemented and maintain a risk management framework designed to identify, assess, and mitigate risks from cybersecurity threats. We assess our cybersecurity program (“CSP”), as part of our enterprise risk management program, against the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”) and also use as a model the Center for Internet Security (“CIS”) control framework’s Implementation Group 2 (“IG2”). We perform annual assessments against NIST CSF benchmarks and focus on continuous improvement over those criteria. We use a list of factors based on business risk tolerance and external compliance requirements to determine if a business asset, data, system, process, or service provider should be included within the scope of the CSP. Prior to contracting with an outside vendor that hosts our data, such as Company information, or PII of our associates or residents, or that integrates with our systems, our policy is to conduct a cybersecurity risk assessment, which includes, as appropriate, a due diligence questionnaire completed by the vendor, a System and Organization Controls 1 (“SOC1”) report from major vendors and a review of the vendor’s scope of access to our IT systems and data.
We also utilize third-party service providers to enhance our CSP, including engaging them annually to assess our CSP against the NIST CSF. We use one or more third-party managed security solution providers, who provide us with threat intelligence information and managed threat detection and response capabilities. We have also engaged a third party to assist with associate cybersecurity training. Additionally, we have engaged outside breach response legal counsel to assist the Company with cybersecurity counseling and incident response.
Although we have not experienced any material cybersecurity incidents, a future incident could materially affect us. We rely on information technology to process, transmit and store electronic information, and to manage or support a variety of business
20
processes, including financial transactions, PII, and resident and lease data. Our business requires us and some of our vendors, to use and store PII and other confidential and sensitive information of our residents and associates. Any failure in or breach of our operational or information security systems or those of our vendors as a result of cyber-attacks or other security incidents, could materially adversely impact our operations and financial position, including disruption of our operations caused by an inability to access network systems, disclosure or misuse of confidential or proprietary information (including PII of our residents and/or associates), damage to our reputation, and/or potentially significant legal and/or financial liabilities and penalties.
You should carefully review Part I, Item 1A. “Risk Factors” of this Form 10-K for a discussion of the risks to the Company related to cybersecurity.
Our cybersecurity team is headed by our Senior Director of Cybersecurity, who has over 15 years of experience with IT and cybersecurity. The cybersecurity team reports to our Senior Vice President-Information Technology. The Senior Director of Cybersecurity and the Senior Vice President-Information Technology are part of, and work with, a management Cybersecurity Steering Committee (“CSC”), which meets regularly. The CSC works to ensure strategic alignment of the CSP with our business objectives and priorities. The CSC is chaired by the Senior Director of Cybersecurity and is composed of our Chief Financial Officer, Chief Operating Officer, General Counsel and senior members of our finance, legal, IT, risk management and internal audit teams. The Company has designated an incident response team and defined criteria to guide responses to cybersecurity incidents.
The Audit Committee of our Board of Directors provides Board-level oversight of risks from cybersecurity threats. In addition to providing periodic reports, at least annually the Senior Director of Cybersecurity and the Senior Vice President-Information Technology meet with the Audit Committee regarding cybersecurity risks and assessments and related Company policies and initiatives. The Audit Committee and management have adopted a policy that categorizes cybersecurity incidents and sets out incident escalation procedures to the full Board of Directors.
21