SUN COMMUNITIES INC 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

SUN COMMUNITIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 20:21:37 EST.

Filings

10-K filed on 2024-02-27

SUN COMMUNITIES INC filed an 10-K at 2024-02-27 20:21:37 EST
Accession Number: 0000912593-24-000094

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Our business operations rely on the consistent availability of our communication platforms, enterprise applications, and related systems. We have implemented protocols to ensure the secure collection, storage, and transmission of data and have invested in the development and enhancement of controls designed to prevent, detect, and respond to unauthorized access, computer viruses, malware, data exfiltration, and other threats. We have established an Information Security Management Committee to manage information security in accordance with the ISO 27001:2013 standard to ensure the consistent application of security principles, policy statements, and controls. In adhering to this industry standard, we manage and mitigate material risks from threats to our systems and data by partnering with reputable, recognized security firms, and conducting ongoing internal and external information security audits, risk assessments, anti-phishing campaigns, penetration testing exercises, systems monitoring activities, employee training, and cyber incident response exercises. Our policies include standards and procedures for vulnerability management, business continuity planning, encryption of sensitive data, physical security, user access controls, vendor risk management, teleworking, mobile device management and system monitoring. 26 SUN COMMUNITIES, INC. Comprehensive contingency and recovery plans are in place to ensure the ongoing provision of services to customers in the event of a cybersecurity incident. These are tested on a regular basis against scenarios of varying degrees by both internal and external resources. To manage vendor risk, we conduct ongoing risk assessments based on the vendor’s published Systems and Operational Controls (“SOC”) reports, information provided in vendor security questionnaires, and any publicly available information including ongoing litigation or external disclosures. As of the time of this filing, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial conditions. Refer to “Risk Factors” in Part I, Item 1A in this Annual Report on Form 10-K under the heading “Cybersecurity breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer,” for additional discussion about cybersecurity related risks. Governance Senior leadership provides the Board of Directors with ongoing security updates, which include notable changes to program plans, changes to the risk environment, information regarding material incidents that may have occurred, third-party audit reports on recent assessments of our security controls, and details regarding forward-looking plans and strategies to mitigate cyber risk. The Audit Committee of the Board of Directors provides oversight and is responsible for assessing risks to our business, in accordance with its charter. The Audit Committee engages in regular conversations with senior leadership about our security systems in order to monitor and mitigate risks from cybersecurity incidents, in accordance with our security principles and protocols. The Senior Vice President of Information Technology and the Director of Information Security bear direct responsibility for daily management of cyber risk. Oversight from the executive team, led by the Chief Administrative Officer, ensures strategic alignment. With a wealth of executive leadership spanning over 20 years in both public and private sectors, these individuals collectively possess more than 75 years of invaluable experience in information technology and security. The Information Security Management Committee (ISMC) and Enterprise Risk Management Committees (ERM) meet regularly to provide oversight of cyber risk management functions. Committee composition includes members from cross-functional departments, including technology, innovation, human resources, accounting and finance, internal audit, operations and executive management. Various members of these committees hold industry certifications representing expertise in information security risk and compliance management, including the Certified Information Technology Professional (CITP), Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC) designations. 27 SUN COMMUNITIES, INC.

Company Information