MID AMERICA APARTMENT COMMUNITIES INC. - (MAA)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management Program

We recognize the importance of maintaining the integrity of our information systems and safeguarding the confidential business and personal information we receive and store about our residents, prospective residents, employees and suppliers. As such, we have implemented a cybersecurity risk management program designed to assess, identify and manage material risks from cybersecurity threats. Our cybersecurity risk management program is designed to employ what we believe are industry best practices, including monitoring and analysis of the threat environment, vulnerability assessments and third-party cybersecurity risks; detecting and responding to cyber attacks, cybersecurity incidents and data breaches; cybersecurity crisis preparedness, incident response plans, and business continuity and disaster recovery capabilities; and investments in cybersecurity infrastructure and program needs. Key processes in our program include:

regular cybersecurity training and testing for employees with company email and access to connected devices;
continuous security event monitoring, management and incident response;
regular testing of incident response procedures;
regular internal reporting;
regular consulting with external advisors and specialists regarding opportunities and enhancements to strengthen our cyber practices and policies and enhance our cybersecurity maturity;
independent third-party testing of our information technology controls and defenses, including penetration tests;
independent third-party audits of our cybersecurity controls; and
annual independent third-party reviews of program maturity based on the National Institute of Standards and Technology (NIST) cybersecurity framework.

24


 

In addition, as part of our cybersecurity risk management program, we have processes designed to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers, and our cybersecurity risk management program takes into account third-party systems through which we could be impacted by the compromise of the security of a third-party service provider. In this regard, we conduct due diligence on third-party service providers with respect to cybersecurity risks prior to entering into relationships with them, and we regularly assess security risks associated with our use of third-party service providers, including onboarding contract employees through the same process we onboard our own employees. In addition, we contractually require third-party service providers to promptly notify us of any actual or suspected breach impacting our data or operations, and we continuously track mission critical vendors using a third-party monitoring service.

We maintain a cyber insurance policy, we periodically meet with our insurer to discuss emerging trends in cybersecurity and we utilize self-assessment tools and other services provided by our insurance broker and insurer, including annual tabletop exercises conducted by cybersecurity experts.

Our cybersecurity risk management program is integrated into our overall risk management system. To help identify, assess and manage material risks from cybersecurity threats, we include cyber risk in our enterprise risk management, or ERM, evaluation and strategy process. Our ERM process takes a top-down, enterprise view of risks; it is an ongoing process consisting of risk identification, risk rating, analysis and action plans, and reporting and monitoring. Our Vice President Cyber Security has a dotted line reporting relationship to our Chief Administrative Officer and General Counsel to help ensure that risks from cybersecurity threats are considered as part of the broader ERM process. At a management level, our Chief Administrative Officer and General Counsel leads our ERM process.

We do not believe that any risks from cybersecurity threats of which we are aware, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For information regarding the risks we face associated with cybersecurity incidents, see “Risk Factors – We rely on information technology systems in our operations, and any breach or security failure of those systems could materially adversely affect our business, financial condition, results of operations and reputation” included in this Annual Report on Form 10-K.

Governance

The Audit Committee of our Board of Directors is responsible for oversight of risks from cybersecurity threats. At a management level, our cybersecurity risk management program is led by our Chief Technology and Innovation Officer who has over 20 years experience providing business and information technology, or IT, process consulting and regulatory compliance services, including founding a cyber-security consulting and regulatory compliance firm, and whose certifications include Big 4 SOX Global Subject Matter Specialist, Certified Public Accountant and Certified Information Systems Auditor. Partnering with our Chief Technology and Innovations Officer is our Vice President Cyber Security, who has over 30 years of IT technical and IT business process experience, has been an IT and cyber security leader for multiple financial services companies and has certifications including training in Ethical Hacking, serving as the local IT Sector Chief for the Federal Bureau of Investigation’s, or FBI, InfraGard Program, FBI Secret Clearance for all IT related incidents/cybersecurity initiatives, and FBI Citizens Academy Alumni. Collectively, our cybersecurity team consists of 11 professionals with an average cybersecurity tenure of 17 years and certifications including CISSP, AWS Trainer, AWS Architect, Okta administrator, Splunk administrator, CCNP and CCDA, Microsoft Security, Compliance and Identity, Azure CompTIA Security+ and Splunk, information systems auditor, Red Hat Enterprise Linux certification, among other degrees, certifications and work-related experience. Members of our cybersecurity team deliver regular updates to our Chief Technology and Innovation Officer and Chief Administrative Officer and General Counsel.

The Audit Committee of our Board of Directors receives regular reports, including an annual cybersecurity maturity assessment and quarterly scorecards, from our Chief Technology and Innovation Officer. Those reports cover topics related to information security, privacy, and cyber risks and our risk management processes, including the status of any recent cybersecurity events, the emerging threat landscape, and the status of capital investments in our information security infrastructure. The Audit Committee provides regular reports to the full Board of Directors. In addition, the Audit Committee and the full Board of Directors have authority to engage external consultants, including legal, accounting or other advisors, such as cybersecurity firms, in carrying out its oversight of our cybersecurity risk management program. Likewise, the Audit Committee or the Board of Directors may request members of management or others to attend meetings at which cybersecurity risk management is addressed.

25


 

As part of our cybersecurity risk management program, we have adopted an incident response plan which provides for controls and procedures upon the occurrence of a cybersecurity event. In connection with that plan, we have established a cross-functional critical response team, comprised of members of management under the direction of our Chief Technology and Innovation Officer and Chief Administrative Officer and General Counsel, which is responsible for monitoring our cybersecurity incident response. In addition, this critical response team performs an impact assessment in the event of the occurrence of a cybersecurity event meeting certain criteria, which is elevated for the team’s review and, if any such cybersecurity event is determined by the critical response team to have the potential to have a material impact on the Company, the cybersecurity event is elevated for further review and assessment by a senior management team, which includes all of the members of our standing crises control committee, and, under certain circumstances, the Audit Committee and/or the full Board of Directors.

Cybersecurity risks are part of the broader ERM process overseen by our Board of Directors. ERM risk assessment results are presented annually to the Board of Directors, and status updates are delivered quarterly to the Audit Committee.

26