Apartment Income REIT Corp. - (AIRC)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
AIR takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. AIR regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and tests those systems according to its cybersecurity policies, standards, processes, and practices, which are integrated into its overall approach to enterprise risk management. To protect its information systems from cybersecurity threats, AIR uses various security tools that help it identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. AIR’s cybersecurity program is designed to align with the National Institute of Technology Standards Cybersecurity Framework 1.1, which provides a structured approach for assessing, identifying, and managing material risks from cybersecurity threats.
AIR’s technology team, under the leadership of AIR’s Senior Vice President of Technology, who has over 30 years of technology management experience, defines an annual work plan designed to maintain strong cybersecurity maturity, set improvement objectives of key controls and systems, including feedback from third-party assessments, and identify and implement on-going investments to replace or upgrade systems or technologies and proactively maintain strong security. As part of our annual planning, management conducts regular tabletop testing of our incident response plan to increase awareness, establish key decision-making criteria, ensure effective communication among key stakeholders, and comply with AIR’s disclosure obligations. AIR also partners with third-party experts to assess the effectiveness of our cybersecurity prevention and response systems and processes (e.g., periodic penetration testing and assessments of IT general controls). AIR also engages vendors to enhance cybersecurity safeguards and improve incident response and updates or replaces systems and applications as appropriate to improve data processing and storage management and enhance security. To further protect AIR's information systems, we structure and monitor our relationships with third-party service providers and periodically conduct due diligence on their cybersecurity architecture and process design.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected AIR and we believe are not reasonably likely to have a material adverse effect on AIR, including its business strategy, results of operations, or financial condition. For additional information on cybersecurity risks and potential related impacts on AIR, refer to “Our business and operations would suffer in the event of significant disruptions or cyberattacks of our information technology systems or our failure to comply with laws, rules and regulations related to privacy and data protection.” in Part I, Item 1A. Risk Factors.
Governance
Our Board of Directors oversees AIR’s risk management process, including cybersecurity risks. The Audit Committee oversees AIR’s enterprise risk assessment. The Audit Committee meetings include discussions of specific risk areas, including, among others, those relating to cybersecurity. AIR’s Senior Vice President of Technology reports, typically on a quarterly basis, to the Audit Committee on AIR’s cybersecurity profile risk assessment and technology environment and the broader technology landscape. The Audit Committee also independently engages consultants to conduct cybersecurity assessments and, preparedness analyses, and to provide the Board with ongoing training concerning cybersecurity risk governance.
AIR’s Senior Vice President of Technology, in coordination with other members of AIR’s management, is responsible for leading the assessment and management of cybersecurity threats. AIR has implemented a governance program for its cybersecurity efforts. This includes regularly updating privacy notices, terms of use, and lease documents, as well as identifying responsible teammates to facilitate the implementation of cybersecurity priorities. These teammates report regularly to senior management and to the Board on risk identification, safeguards, and mitigation steps. AIR has developed and implemented policies to identify and mitigate cybersecurity risks and provides training to teammates at onboarding and annually thereafter. Updates are communicated to all teammates, and actionable guidance is provided when new risks arise.
20