INDEPENDENCE REALTY TRUST, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

INDEPENDENCE REALTY TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:16:02 EST.

Filings

10-K filed on 2024-02-28

INDEPENDENCE REALTY TRUST, INC. filed an 10-K at 2024-02-28 16:16:02 EST
Accession Number: 0001466085-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems, and those that we offer to our residents are necessary for the operation of our business. We use these systems, among others, to manage our resident and vendor relationships, for internal communications, for accounting to operate record-keeping function, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data. In recent years, cybersecurity attacks have increased on businesses as cyber criminals seek to gain access to sensitive information and use it for their personal or financial gain. We continuously seek to implement advanced technologies to strengthen our infrastructure, monitor for threats, and evaluate our capability to respond to incidents in order to minimize the potential impact to our systems, data, and operations. We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry s risk profile, utilizing internal and external audits, and conducting threat and vulnerability assessments. We perform simulations and drills for responding to cybersecurity threats at both a technical and management level. We incorporate external expertise and reviews in all aspects of our cybersecurity program. All of our employees receive annual cybersecurity awareness training. Management, in coordination with our information technology department, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. Management is also responsible for approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters. We also work with third parties that assist us in identifying, assessing, and managing cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing certain obligations on the provider, conducting security assessments, and conducting periodic reassessments during their engagement. We have experienced various types of cyber-attack incidents which, to date, have been contained and did not have a material impact on our business strategy, results of operations or financial condition. As a result of such incidents, we continue to implement new controls, governance, technical protections, and other procedures to mitigate and prevent future incidents. We have a cybersecurity committee that is composed of our Executive Vice President of Technology, our Director of Information Technology and our General Counsel. The committee meets quarterly to review any incidents and 39 Table of Contents incident responses and reports its findings to the Chief Financial Officer. We may incur substantial costs and suffer other negative consequences such as liability, reputational harm and significant remediation costs and experience material harm to our business and financial results if we, or our vendors or suppliers fall victim to other successful cyber-attacks. Governance Our Board of Directors holds oversight responsibility over the Company s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. Our Audit Committee oversees risks and exposures associated with financial matters, particularly financial reporting, tax (including compliance with REIT rules), accounting, disclosure, internal control over financial reporting, cybersecurity, financial policies, investment guidelines, development and leasing, and credit and liquidity matters. In addition, the Risk Committee oversees our enterprise risk management practices to ensure that we are equipped to anticipate, identify, prioritize, and manage material risks to the Company. Our Risk Committee assists our Board of Directors in its oversight of our enterprise risk management framework, including cybersecurity, our overall risk-taking tolerance and our management of financial, reputational and operational risk. Within the principal functions of the Risk Committee are its responsibilities in overseeing cybersecurity risk, information security, and technology risk, as a well as management s actions to identify, assess, mitigate, and remediate material issues. On a quarterly basis, our Executive Vice President of Technology provides information to our Chief Financial Officer, who reports to our Chief Executive Officer and the Risk Committee on our cybersecurity risk capabilities and threats. Our Executive Vice President of Technology has extensive cybersecurity knowledge and skills gained from over five years of work experience on the security team at IRT and an extensive career in the technology and cybersecurity industries as a President and Chief Information Officer at Results Theory, Inc.. Our Executive Vice President of Technology heads the team responsible for implementing and maintaining cybersecurity and data protection practices at IRT and reports directly to the Chief Financial Officer. 40 Table of Contents

Company Information