Public Storage - (PSA)
10-K Filing Date: February 20, 2024
ITEM 1C. Cybersecurity
Public Storage devotes significant resources to protecting and continuing to improve the security of its computer systems, software, networks, and other technology assets. Our security efforts are designed to preserve the confidentiality, integrity, and continued availability of information owned by, or in the care of, the Company and protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt or degrade service, sabotage systems, or cause other damage.
Management and Board Oversight
Our risk management processes include a comprehensive enterprise risk management framework focused on (i) evaluating the risks facing the Company and aligning the Company’s efforts to mitigate those risks with its strategy and risk appetite; (ii) communicating and improving the Company’s understanding of its key risks and responsive actions; and (iii) providing the Board with a defined, rated risk inventory and framework against which the Board can direct its responsibilities to oversee the Company’s risk assessment and risk management efforts. Our cybersecurity program is a key component of our overall enterprise risk management framework.
A dedicated team of technology professionals monitors and manages cybersecurity risks. They are led by our Chief Technology Officer (CTO), who has served in senior leadership positions with responsibility for cybersecurity and IT risk management for over 10 years, and our Vice President, Management Information Systems (VPMIS), who has been a Certified Information Systems Security Professional (CISSP) since 2016. Their teams are responsible for leading enterprise-wide cyber resilience strategy, policy, standards, architecture, and processes. Our CTO and VPMIS regularly engage with our Chief Administrative Officer. They also report monthly on cybersecurity matters to our entire executive management team.
18
In the event of an incident that jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, we utilize a regularly updated information security incident response plan (IRP). The IRP is overseen by our executive Incident Response Committee (IRC), which consists of our Chief Financial and Investment Officer, Chief Administrative Officer, Chief Legal Officer, and CTO. The IRP guides our internal response to cybersecurity incidents.
Pursuant to our IRP and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is generally led by the IRC with support from internal personnel and external counsel or other experts.
Our Board considers cybersecurity risk one of the most significant risks to our business. The Board has delegated to the Audit Committee oversight of cybersecurity, data privacy, and other information technology risks affecting the Company. The Audit Committee periodically evaluates our cybersecurity strategy to ensure its effectiveness. Our CTO and VPMIS provide quarterly reports to the Audit Committee, which also provides quarterly reports on its activities to the Board. Annually, the Board receives a comprehensive update regarding the Company’s cybersecurity efforts, which may include a cybersecurity tabletop exercise, presentation by third party cybersecurity experts, or similar events. Several members of our Board and Audit Committee have cybersecurity, data privacy, or related experience from their principal occupation or other professional experience.
Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
Our cybersecurity program focuses on (i) preventing and preparing for cybersecurity incidents, (ii) detecting and analyzing cybersecurity incidents, and (iii) containing, eradicating, recovering from, and reporting cybersecurity events.
Prevention and Preparation
We identify and address information security risks by employing a defense-in-depth methodology, consisting of both proactive and reactive elements, which provides multiple, redundant defensive measures and prescribes actions to take in case a security control fails or a vulnerability is exploited. We leverage internal resources, along with strategic external partnerships, to mitigate cybersecurity threats to the Company. We have partnerships for security operations center (SOC) services, penetration testing, incident response, and various third-party assessments. We deploy both commercially available solutions and proprietary systems to actively manage threats to our information technology environment.
We assess our cybersecurity program against various frameworks. Our information security program is certified for compliance with the Payment Card Industry Data Security Standard for the safe handling and protection of credit card data. Annually, we are assessed, either internally or by an independent third party, against the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We also utilize reports prepared by our external partners to assess our cyber proficiency on a standalone basis and comparatively against peers and other companies, and we regularly engage external resources regarding emerging threats. We have policies and procedures to oversee and identify the cybersecurity risks associated with our use of third-party service providers, including contractual mechanisms, as well as the regular review of SOC reports, relevant cyber attestations, and other independent cyber ratings.
We employ a robust information security and training program for our employees, including mandatory computer-based training, regular internal communications, and ongoing end-user testing to measure the effectiveness of our information security program. As part of this commitment, we require our employees to complete a Cybersecurity Awareness eCourse and acknowledge our Information Security policy each year. In addition, we have an established schedule and process for regular phishing awareness campaigns that are designed to imitate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees.
As discussed above, we maintain an IRP that guides our response to a cybersecurity incident. Annually, we test the IRP’s response procedures, including through disaster response and business continuity plan exercises. These exercises are intended to challenge and validate our information security response and resources through simulated cybersecurity incidents, including engagement of outside cybersecurity legal counsel, other third-party partners, key internal personnel, executive management, and our Board.
19
Detection and Analysis
Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications, employee notifications, notification from external parties (e.g., our third-party information technology provider), and proactive threat hunting in conjunction with our external partners. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response team designated pursuant to the IRP follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g. ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data.
Containment, Eradication, Recovery, and Reporting
In the event of a cybersecurity incident, our first priority is to contain the cybersecurity incident as quickly as possible consistent with the procedures in our IRP.
Once a cybersecurity incident is contained, our focus shifts to remediation and recovery. These activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, increased network monitoring or logging to identify recurring attacks, monitoring dark or deep web forums, reconfiguring administrative account access, hardening network security such as firewall configurations, and employee re-training. We also maintain cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions.
Our IRP provides clear communication protocols, including with respect to members of executive management, internal and external counsel, the Audit Committee and our Board. These protocols include a framework for assessing our SEC and other regulatory reporting obligations related to a cybersecurity incident.
Following the conclusion of an incident, the incident response team will generally assess the effectiveness of the cybersecurity program and IRP and make adjustments as appropriate.
Cybersecurity Risks
As of December 31, 2023, we are not aware of any material cybersecurity incidents in the last three years. However, we routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams that we have been able to prevent or sufficiently mitigate harm from. Although we make efforts to maintain the security and integrity of the third-party networks and systems we use, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them, are subject to the risk of a security incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party providers. See “Item 1A–Risk Factors–If our confidential information is compromised or corrupted, including as a result of a cybersecurity incident, our reputation and business relationships could be damaged, which could adversely affect our financial condition and operating results.”
20