CubeSmart, L.P. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

CubeSmart, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:58:04 EST.

Filings

10-K filed on 2024-02-29

CubeSmart, L.P. filed an 10-K at 2024-02-29 16:58:04 EST
Accession Number: 0001298675-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of developing, implementing and maintaining robust measures to safeguard our electronic information systems and we have established processes, described below, to assess, identify, manage and mitigate risks from cybersecurity threats and cybersecurity incidents. We believe our processes are reasonable for real estate companies of our size and complexity. We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Under the direction of our Senior Vice President, Information Technology and our Senior Director, Information Security & Infrastructure (together, the Cybersecurity Leadership Team ) our Information Technology department regularly monitors cybersecurity threats and leads the prevention, detection, mitigation and remediation of cybersecurity incidents, with regular reporting to senior management and to the Board on these topics. The Critical Security Controls, a prescriptive, prioritized, and standardized set of globally recognized best practices, guide our information security strategy. The Critical Security Controls are developed and maintained by the Center for Internet Security, Inc., a nonprofit organization with over 20 years of experience in helping individuals, businesses and governments protect themselves against cyber threats. We also consider best practices from third-party vendors and payment processors and from the Cloud Security Alliance, a nonprofit organization that leverages global expertise to offer research and education programs related to cloud security. Recognizing the complexity and evolving nature of cybersecurity threats, we also retain a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our information security processes and systems. These engagements enable us to access specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our engagements with these third parties include regular audits, threat assessments and consultation on security enhancements. We also regularly conduct information security training to ensure that all employees, including those who may come into possession of confidential financial or personally identifiable information, are aware of information security risks and are equipped to take steps to mitigate such risks. The results of such tests, assessments, reviews and trainings are evaluated by senior management and our cybersecurity policies, processes and practices are refined as necessary based on the information provided. We routinely conduct thorough security assessments of our third-party service providers that have access to our electronic information (including data centers operated by third parties and cloud computing platforms) and we maintain policies and procedures to oversee and identify cybersecurity risks associated with our use of third-party service providers. Our policies and procedures also include technical controls and processes, as well as contractual mechanisms to mitigate risk. Assessments are performed biannually by the Cybersecurity Leadership Team and on a regular basis by their staff. Since January 1, 2021, we have not experienced any cybersecurity incidents that have resulted in material financial loss. We are not aware of any cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. Management Oversight Primary responsibility for the oversight of the assessment, identification and management of our cybersecurity risks rests with our Senior Vice President, Information Technology. Under her direction, these risk mitigation efforts are designed, tested, and implemented by our Senior Director, Information Security & Infrastructure. Collectively, the Cybersecurity Leadership Team has over 50 years of experience in the field of Information Technology, holding relevant academic degrees and industry certifications, including the Certified Cloud Security Professional and Certified Information Systems Security Professional designations. The Cybersecurity Leadership Team oversees our information technology governance programs, tests our compliance with standards, remediates known risks, and leads our employee cybersecurity training program. The Cybersecurity Leadership Team continually assesses and discusses the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition enhances our processes that are used to identify, prevent, mitigate and remediate cybersecurity threats and cybersecurity incidents. The Cybersecurity Leadership Team s responsibilities include the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Cybersecurity Leadership Team is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact of the incident, reporting such events to senior management, and developing strategies for remediation and prevention of future incidents. 28 Table of Contents The Cybersecurity Leadership Team maintains an ongoing dialogue with senior management regarding emerging or potential cybersecurity risks. Together, they discuss updates on any significant developments in the cybersecurity domain, ensuring that management s oversight is proactive. In addition, a cross-organizational cyber task force, which includes the Cybersecurity Leadership Team and several members of senior management, meets regularly to consider and address cybersecurity risks, including risks related to our use of third-party service providers. This task force reports regularly to senior management, who actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. The involvement of senior management in our cybersecurity strategy ensures that cybersecurity considerations are collaborative and integrated into our broader strategic objectives. The Cybersecurity Leadership Team regularly informs the cyber task force of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing us. Furthermore, as noted below, significant cybersecurity matters, and strategic risk management decisions are escalated to the Audit Committee and, as appropriate, the Board, ensuring that such bodies maintain comprehensive oversight and can provide guidance on critical cybersecurity issues. Board of Trustees Oversight The Board acknowledges the importance of managing risks associated with cybersecurity threats and cybersecurity incidents and has established oversight mechanisms to manage such risks. The Audit Committee is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of five independent Trustees, two of whom have considerable information technology experience. The Audit Committee receives comprehensive briefings from the Cybersecurity Leadership Team on an annual basis. These briefings help identify areas for improvement and ensure the alignment of cybersecurity efforts with our overall risk management framework. The broad range of topics encompassed in these briefings includes: The current cybersecurity landscape and emerging threats; Our cybersecurity posture and the effectiveness of our risk management strategies; The status of ongoing cybersecurity initiatives and strategies; and Our compliance with regulatory requirements and industry standards. Our internal controls also provide for the Audit Committee to receive prompt information regarding any cybersecurity incident that meets established reporting thresholds, as well as for updates regarding any such incident until it has been fully remediated. The Audit Committee provides updates to the Board regarding such matters, as appropriate. 29 Table of Contents

Company Information