EQUITY RESIDENTIAL - (EQR)

10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Risk management and strategy

We have an enterprise-wide information security program designed to protect our information systems from cybersecurity threats. We identify and assess risks from cybersecurity threats by monitoring and evaluating our digital assets and our risk profile using various methods. We monitor security events that are internally discovered or externally reported that may affect our systems and have processes and procedures to assess those events for potential cybersecurity impact or risk and consequently improve our security measures and planning. Additionally, we work with third parties from time to time that assist us in refining our cybersecurity risk strategy in order to identify, assess and manage cybersecurity risks, including professional services firms and consulting firms. We seek to detect and investigate unauthorized attempts and attacks against our network and services, and to minimize their occurrence and recurrence through changes or updates to our internal processes and tools and changes or updates to our services; however, we remain potentially vulnerable to known or unknown threats.

Our cybersecurity incident response processes are designed to escalate certain cybersecurity events to members of management depending on the circumstances. Key members of management, including representatives from IT, operations, legal, finance, risk management and internal audit, serve on the Company’s senior security incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified, and certain cybersecurity incidents are escalated to the Company’s executives. In addition, the Company’s incident response processes include potential reporting to the Audit Committee of our Board of Trustees for certain cybersecurity incidents.

We also have a third-party risk management program in place to manage cybersecurity risks associated with third-party service providers. While we do maintain processes and procedures to identify, prioritize and assess risks associated with third-party service providers, we must rely on third parties to augment our security program, and we cannot ensure in all circumstances that their efforts will be successful.

While to date we have not experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Any significant disruption to our systems could adversely affect our business and results of operations. Further, a cyber incident impacting our systems or a third-party’s systems could subject us to business, regulatory, litigation and reputational risk, which could have a negative effect on our business, financial condition and results of operations.

Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A, Risk Factors, for a discussion of cybersecurity risks.

23


 

Governance

Our Information Technology Security Team, under the oversight of our Senior Vice President of IT and the leadership of our VP of IT Infrastructure and Security, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The Information Technology Security Team manages and continually enhances a robust enterprise security structure with the ultimate goal of minimizing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Our Information Technology Security Team possesses decades of experience in navigating cybersecurity threats and mitigating associated risks as a result of holding similar positions at other large companies. Most members of the team hold degrees in cybersecurity and/or related disciplines, have cybersecurity certifications such as Certified Information Systems Security Professional (CISSP) and/or periodically attend various cyber-focused conferences and training programs. Specifically, our Senior Vice President of IT and our VP of IT Infrastructure and Security combined have over 30 years of technology and cybersecurity experience. The team provides regular reports to senior management and affected departments on various cybersecurity threats, assessments and findings.

The Audit Committee of our Board of Trustees oversees our annual enterprise risk management assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. The Audit Committee oversees our ongoing cybersecurity risk management efforts and regularly receives detailed reports from representatives of our Information Technology Security Team addressing a wide range of related topics. At least annually, our IT leadership (and external cybersecurity experts if applicable) reviews key cybersecurity strategies and policies with the full Board of Trustees, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends and other areas of importance.