National Storage Affiliates Trust 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

National Storage Affiliates Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:40:22 EST.

Filings

10-K filed on 2024-02-28

National Storage Affiliates Trust filed an 10-K at 2024-02-28 16:40:22 EST
Accession Number: 0001628280-24-007624

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures aligned to industry standards to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Management of Material Risks & Integration into Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity awareness and risk management and have incorporated cybersecurity considerations into our decision-making processes. Our risk management team works closely with our IT department to identify, evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our risk management team also provides regular reporting to management on our enterprise cybersecurity risk posture. Engagement of Third-parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity threats, we engage a range of external experts, including cybersecurity assessors and consultants in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, so that we can better understand the current and evolving cybersecurity risks and strategies. Our collaboration with these third-parties includes periodic audits, threat assessments, and consultation on security enhancements. Risks from Cybersecurity Threats We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to Item 1A. Risk factors in this annual report on Form 10-K, including Security breaches through cyber-attacks, cyber-intrusions, or other methods could disrupt our information technology networks and related systems , for additional discussion about cybersecurity-related risks. 30 Governance The board of trustees is acutely aware of the critical nature of managing risks associated with cybersecurity threats and oversees the Company’s cybersecurity risk management activities. Board of Trustees Oversight The audit committee of our board of trustees is central to the board of trustees s oversight of cybersecurity risks and bears the primary responsibility for this domain. The members of the audit committee have a variety of expertise, including financial, regulatory and risk management. The audit committee reviews our policies with respect to risk assessment and risk management related to cybersecurity. The audit committee and the board of trustees receive updates on the Company s cybersecurity risks and initiatives periodically. In addition, cybersecurity matters are reported to the audit committee or board of trustees so that the board of trustees and audit committee can effectively carry out their oversight role. Management s Role Managing Risk Our risk management committee is comprised of a cross section of the Company s management team. The risk management committee has identified cybersecurity as a key risk to the Company s operations and established a cybersecurity sub-committee, which is comprised of members of the risk management committee and other personnel, to focus on this key risk. The cybersecurity sub-committee plays a pivotal role in informing the risk management committee on cybersecurity risks. They provide comprehensive briefings to the risk management committee on a regular basis. These briefings encompass a broad range of topics, including: Awareness of cybersecurity landscape, emerging threats, trends and developments; Status of ongoing cybersecurity initiatives and strategies Incident reports and learnings from any cybersecurity events Compliance with regulatory requirements and industry standards; and Education in cybersecurity and associated risk management frameworks. The risk management committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are a consistent focus of the Company and that the Company’s cybersecurity efforts are aligned with the overall risk management framework. We have also implemented cybersecurity training at all levels of our organization and conduct periodic phishing assessment for our employees to reinforce that training. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the cybersecurity sub-committee. With over a combined 45 years of experience in the field of cybersecurity, the cybersecurity sub-committee brings a wealth of expertise to their role. Their in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our cybersecurity sub-committee oversees our cybersecurity strategies, tests our compliance with standards, remediates known risks, and leads our employee training program. Monitor Cybersecurity Incidents The cybersecurity sub-committee stays apprised about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, which is important for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The cybersecurity sub-committee implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the cybersecurity sub-committee is equipped with a well-defined incident response plan, which provides a framework to mitigate the impact of cybersecurity incidents 31 The cybersecurity sub-committee regularly informs the risk management committee of matters related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the board of trustees, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information