Invitation Homes Inc. - (INVH)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our operations are highly dependent upon information systems that support our business processes. In the ordinary course of our business, we collect and store certain confidential information such as personal information of our residents and associates and information about our business partners, contractors, vendors, and suppliers. Cyber intrusions could seriously compromise our networks and the information stored therein could be accessed, publicly disclosed, misused, lost, or stolen. As such, we have established information security processes and policies using principles from industry recognized cybersecurity frameworks focused on: (i) developing organizational understanding to manage cybersecurity risks; (ii) applying safeguards to protect our systems; (iii) detecting the occurrence of a cybersecurity incident; (iv) responding to a cybersecurity incident; and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes.
Information technology and data security, particularly cybersecurity, are areas of focus for our board of directors and its audit committee. We employ a multi-layered security model that leverages risk-based controls with a focus on protecting our residents' and associates’ data. We follow a cloud-first approach to enable efficient scaling, robust business continuity, and access to the latest technology innovations.
Our cybersecurity risk management program aims to protect and preserve the confidentiality, integrity, and continued availability of our residents’ and associates’ data and includes controls and procedures for the identification, containment, and remediation of cyber threats.
Our cybersecurity risk management program includes, among other key features:
•regular cybersecurity risk assessments;
•detection and reporting of any cybersecurity events;
•robust information security training program that includes annual information security training for all associates, as well as additional role-specific information security training; and
•cyber incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident to executive leadership and our board of directors.
We assess our cybersecurity risk management program at least annually and regularly review our cyber incident response plan and conduct cybersecurity tabletop exercises. Our processes and policies also include the identification of those third-party relationships which have the greatest potential to expose us to cybersecurity threats. We also partner with industry leading third parties for regular security audits. These audits ensure we view cybersecurity with a holistic perspective.
In addition, where appropriate, we seek to include in contractual arrangements with certain of our third-party vendors provisions addressing best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit, and test such vendors’ cybersecurity programs and practices. We also utilize a number of digital controls to monitor and manage third-party access to internal systems and data.
We expect that our cybersecurity risk management processes and strategy will continue to evolve as the cybersecurity threat landscape evolves. As a backstop to our strong information security programs, policies, and procedures, we purchase a cybersecurity risk insurance policy that would defray the costs of an information security breach, if we were to experience one.
51
As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected the Company, our business strategy, our results of operations, or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see Part I. Item 1A. “Risk Factors — Risks Related to Information Technology, Cybersecurity, and Data Protection.”
Governance
Our Vice President, Chief Information Security Officer (“CISO”) leads a team of information security professionals who have the first line responsibility for our cybersecurity risk management processes and activities. Our CISO has more than 20 years of experience as an information security leader and reports directly to our Executive Vice President, Chief Information and Digital Officer. Certifications of our cybersecurity professionals include, but are not limited to: Certified Information Systems Security Professionals from the International Information System Security Certification Consortium; Certified Information Security Manager from Information Systems Audit and Control Association; and focused training/certifications from security vendors on the applications utilized in the management of the cybersecurity program. The certifications mentioned above are accompanied by multiple years of direct experience in cybersecurity which provide the framework for the team’s continuous learning of new technologies, processes, trends, and concepts, with additional training obtained through relevant cybersecurity focused conferences.
We have also adopted a robust cybersecurity risk governance model, including the formation of the Cybersecurity Governance Committee composed of key leaders from stakeholder groups throughout the Company including our CISO, Chief Operating Officer, Chief Legal Officer, and the head of Internal Audit, along with other senior members of management.
The Cybersecurity Governance Committee meets quarterly to review the processes and performance indicators related to prevention, detection, mitigation, and remediation of cybersecurity incidents that could adversely impact business operations.
We maintain a cross-functional cyber incident response plan with defined roles, responsibilities, and reporting protocols, which focuses on responding to and recovering from any significant breach as well as mitigating any impact to our business. Generally, when a breach or suspected breach is identified, the information security team would escalate the issue to the Cybersecurity Governance Committee for initial analysis and guidance. The Cybersecurity Governance Committee, in consultation with appropriate subject matter experts, would be responsible for determining whether a particular incident alone or in combination with other factors, triggers any reporting and/or further notification responsibilities. The Cybersecurity Governance Committee would designate the primary manager of a cybersecurity incident, identify the parties who should be informed about the incident, and oversee the processes for containment, eradication, recovery, and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, the audit committee and the board of directors would be notified of an incident and kept informed of the mitigation and remediation efforts.
Our CISO and other senior members of information technology personnel regularly report to the audit committee and the board of directors on recent trends in cyber risks and review our strategy to defend our business systems and information against cyber-attacks. From time to time, outside advisors may be invited to brief the audit committee on the current cybersecurity threat landscape and other related topics.
Our board of directors has an advanced understanding of its role and that of management in cyber-risk oversight and is well-positioned to guide management in the development and implementation of an effective cybersecurity risk program. Two members of our audit committee hold cybersecurity certifications: Ms. Sears holds a Cyber Risk and Strategy Certification from Diligent Institute; and Ms. Barbe holds a CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors.
As part of its overall risk oversight activities, with respect to cybersecurity risk management, the audit committee:
•oversees the quality and effectiveness of our policies and procedures with respect to our information technology and network systems;
•provides oversight on our policies and procedures in preparation for responding to any material data security incidents; and
•oversees management of internal and external risks related to our information technology systems and processes.
52