SUN COMMUNITIES INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

SUN COMMUNITIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 15:40:27 EST.

Filings

10-K filed on 2026-02-25

SUN COMMUNITIES INC filed a 10-K at 2026-02-25 15:40:27 EST
Accession Number: 0000912593-26-000086

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Our business operations rely on the consistent availability of our communication platforms, enterprise applications, and related systems. We have implemented protocols to ensure the secure collection, storage, and transmission of data and have invested in the development and enhancement of controls designed to prevent, detect, and respond to unauthorized access, computer viruses, malware, data exfiltration, and other threats. Cybersecurity risk management is integrated into the Company's broader enterprise risk management framework and is evaluated alongside other operational, financial, and strategic risks. We have established an Information Security Management Committee to manage information security in accordance with the ISO 27001.2022 standard to ensure the consistent application of security principles, policy statements, and controls. By adhering to this industry standard, we manage and mitigate material risks from threats to our systems and data through the following actions: - Partnering with reputable, recognized security firms - Conducting regular internal and external audits and risk assessments - Providing frequent employee security awareness training - Conducting tabletop exercises - Running anti-phishing and social engineering campaigns - Deploying tools for continuous vulnerability monitoring and management - Performing penetration testing and continuous system monitoring activities - Conducting recovery simulations for core systems and data centers Our comprehensive policies and procedures address critical areas including: - Vulnerability management - Business continuity planning - Incidence response - Encryption of sensitive data - Backup and recovery - Physical security - User access controls - Vendor risk management - Teleworking protocols - Mobile device management - Comprehensive system monitoring These initiatives collectively reinforce our commitment to safeguarding information and ensuring the resilience of our security infrastructure. Comprehensive contingency and recovery plans are in place to ensure the ongoing provision of services to customers in the event of a cybersecurity incident. These are tested on a regular basis against scenarios of varying degrees by both internal and external resources. Our resilience planning is designed to maintain critical business operations and customer services during and following a cybersecurity incident. To manage vendor risk, we conduct ongoing risk assessments based on the vendor's published Systems and Operational Controls ("SOC") reports, information provided in vendor security questionnaires, and any publicly available information including ongoing litigation or external disclosures. We evaluate third-party service providers prior to engagement and perform ongoing monitoring throughout the vendor lifecycle based on risk tiering, contractual security requirements, and review of independent assurance reports. Our incident response framework includes defined escalation protocols designed to ensure that significant cybersecurity events are promptly evaluated for potential materiality and reported to senior leadership and the Board of Directors, as appropriate. We also maintain cybersecurity insurance coverage intended to help mitigate potential losses associated with certain cybersecurity incidents. As of the time of this filing, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial conditions. Refer to "Risk Factors" in Part I, Item 1A in this Annual Report on Form 10-K under the heading "Cybersecurity breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer," for additional discussion about cybersecurity related risks. 20 SUN COMMUNITIES, INC. Governance Senior leadership provides the Board of Directors with ongoing security updates, which include notable changes to program plans, changes to the risk environment, information regarding material incidents that may have occurred, third-party audit reports on recent assessments of our security controls, and details regarding forward-looking plans and strategies to mitigate cyber risk. The Audit Committee of the Board of Directors provides oversight and is responsible for assessing risks to our business, in accordance with its charter. The Audit Committee engages in regular conversations with senior leadership about our security systems in order to monitor and mitigate risks from cybersecurity incidents, in accordance with our security principles and protocols. The Board of Directors and the Audit Committee receive periodic briefings, and additional updates are provided as needed in response to emerging threats or significant incidents. The Chief Information Officer (CIO) and the Director of Information Security are directly responsible for managing cyber risk on a daily basis. The CIO reports to the Chief Administrative Officer (CAO), who oversees the Company's overall information technology strategy and governance. Executive oversight, spearheaded by the CAO, ensures strategic alignment across the organization. These leaders collectively bring significant experience across public and private sector organizations in information technology operations, cybersecurity, and risk management, including experience managing enterprise security programs and responding to cybersecurity incidents. The Information Security Management Committee (ISMC) and Enterprise Risk Management Committees (ERM) meet regularly to provide oversight of cyber risk management functions. Committee composition includes members from cross-functional departments, including technology, innovation, human resources, accounting and finance, internal audit, operations, and executive management. Various members of these committees hold industry certifications representing expertise in information security risk and compliance management, including the Certified Information Technology Professional (CITP), Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC) designations.

Company Information