Elme Communities - (ELME)

10-K Filing Date: February 16, 2024
ITEM 1C: CYBERSECURITY

We are committed and focused on cybersecurity and seek to ensure the safeguarding of data entrusted to us. Our cybersecurity strategy combines prevention with resiliency and continuous improvement to help enhance our organization’s cyber posture. We regularly reevaluate the threat landscape and evolve our strategies to address new threats. In addition to regularly refining our protection methodology, we focus on identification of, response to, and recovery from a cyber-attack. Our program employs the strengths of people, processes, and technology to protect resident, employee, and organization data.

Cybersecurity Risk Management Processes

In managing cybersecurity risks, we follow a structured framework informed by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. This framework provides a comprehensive set of guidelines and leading practices, enabling us to identify, protect, detect, respond, and recover from cyber threats and potential cybersecurity incidents. Regularly benchmarking our cybersecurity measures against the NIST framework helps ensure that our protocols remain robust and current in the face of evolving cyber threats.

Our Cybersecurity Risk Management (“CRM”) processes are ingrained in our overall Enterprise Risk Management (“ERM”) process. As part of our ERM process, department leaders identify, assess and evaluate risks impacting Elme and its operations across several pillars corresponding to significant business processes, including those risks related to cybersecurity. The IT department reviews risks, threats, and trends related to cybersecurity on a daily basis and formally discusses the Company's cybersecurity strategy on a weekly basis. We evaluate the methods, procedures and initiatives that reduce identified inherent risks and the residual risk to the Company. The identified risks and the processes we use to manage these risks are presented to the executive team and the Board on at least an annual basis. We report results of our ERM process, along with an assessment of top risks and corresponding risk management strategy, to the Board. Cybersecurity is a distinct pillar of our ERM process. Some of our key risks concerning cybersecurity that are included in our CRM processes include the following:

Data loss and/or damages to systems resulting from malicious or accidental actions of an internal employee,
external parties committing social engineering (e.g., phishing) or business email compromise attacks,
third-party software service providers suffering a cybersecurity incident that has a significant impact on our business, data or ability to operate, and
a ransomware attack resulting in encrypted data and release of confidential company and/or resident information.
24



The Company’s Board of Trustees does not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect the Company or its business strategy, financial condition, results of operations, or cash flows.

To manage these risks, we take various actions, including the following:

Require an annual user awareness and education program in which new and existing employees complete assessments to benchmark their awareness of cybersecurity threats and leading practices,
conduct regular email phishing tests with additional training provided to employees who fail the tests,
perform in-house vulnerability management and third-party network penetration testing,
secure insurance coverage for cybersecurity incidents,
routinely benchmark our cybersecurity practices against industry leading frameworks,
conduct incident response tabletop exercises to test our security countermeasures and incident response program,
engage a third-party firm to audit our cybersecurity procedures,
engage a third-party Managed Security Service Provider to perform network and endpoints monitoring,

These actions help us identify opportunities for improvement in our incident preparedness and response processes.

In the event of a cybersecurity incident, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program enhancements. While the personnel assigned to an incident response team may depend on the particular facts and circumstances, the team is generally led by the Chief Information Officer (“CIO”) or another member of the IT team and will include other information technology and legal personnel. The incident response team regularly reports to senior management, in the event of a potentially notable incident. The CIO or another member of the incident response team also reports periodically to the Company’s Board regarding cybersecurity incidents impacting us.

We use third parties for various services such as property management, enterprise resource planning software and cloud computing. The use of third parties exposes us to risks that cybersecurity incidents at a third-party provider would impact Elme’s operations and data security. We identify these risks with our robust evaluation program for our third-party partners, in which we assess third-party cybersecurity controls through a questionnaire and include security terms in our contracts where applicable. We mitigate these risks by assessing cybersecurity practices of new providers, continually reviewing and monitoring the cybersecurity practices of our major service providers and conducting periodic reviews of the cybersecurity strategy and posture of our other significant providers. We also consider cybersecurity incidents at our third-party providers in our business continuity and disaster recovery planning.

We have not experienced any material cybersecurity incidents to date. Notwithstanding the extensive approach we take to address cybersecurity, we may not be successful in preventing or mitigating all cybersecurity incidents or threats. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Governance

Elme’s leadership is committed to maintaining a secure environment that upholds high standards of privacy and data protection. The executive team reviews industry specific cybersecurity statistics and updates monthly from the IT team. We have documented control procedures that govern access to sensitive data and changes made to critical business systems. Our Cybersecurity Incident Response Plan (“CIRP”) helps ensure timely notification of cybersecurity incidents to management and the Board.

Our CIO, has been responsible for the development, enhancement, and oversight of cybersecurity programs in her role as CIO for over a decade at two publicly traded real estate companies. She is a member of the Real Estate Cyber Consortium, the National Multi Housing Council Data Privacy, Security, and Information Management Committee, and the RE-ISAC Cybersecurity Working Group.

The Board is responsible for review and oversight of Elme’s cybersecurity risks and the programs and steps implemented by management to assess, manage and mitigate such risks. In the event of a cybersecurity incident, the Board is informed and updated by the incident response team as appropriate. Executive management provides regular updates during board meetings to help ensure that our trustees are informed about the evolving threat landscape and our risk management strategies. The Board
25


receives a cyber update from the CIO on an annual basis. The Board receives communications via email from the CIO on topics of interest throughout the year.

26