Elme Communities 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

Elme Communities reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:05:22 EST.

Filings

10-K filed on 2026-02-27

Elme Communities filed a 10-K at 2026-02-27 16:05:22 EST
Accession Number: 0000104894-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY We seek to ensure the safeguarding of data entrusted to us as we complete our Plan of Sale and Liquidation. Our cybersecurity strategy combines prevention with resiliency to help enhance our organization's cyber posture. In addition to monitoring the cyber threat landscape and managing our protection methodology, we focus on identification of, response to, and recovery from a cyber-attack. Our program employs the strengths of people, processes, and technology to protect resident, employee, and organization data. Cybersecurity Risk Management Processes Our cybersecurity policies, processes and practices are informed by well-recognized security frameworks such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. The NIST framework and others provide a robust set of guidelines and leading practices, enabling us to identify, protect, detect, respond, and recover from cyber threats and potential cybersecurity incidents. The IT team reviews risks, threats, and trends related to cybersecurity and formally discusses the Company's cybersecurity strategy periodically. To manage cyber risks we identify through our overall risk management process, we take various actions, including the following: - perform in-house vulnerability management and third-party network penetration testing, - secure insurance coverage for cybersecurity incidents, - routinely benchmark our cybersecurity practices against well-recognized frameworks, - conduct incident response tabletop exercises to test our security countermeasures and incident response program, 18 - engage a third-party firm to audit our cybersecurity procedures, and - engage a third-party Managed Security Service Provider to perform network and endpoints monitoring. These actions help us identify opportunities for improvement in our incident preparedness and response processes, as we continue to manage cyber risk through the Plan of Sale and Liquidation. In the event of a cybersecurity incident, we maintain a regularly tested cybersecurity incident response program ("CIRP"). Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program enhancements. While the personnel assigned to an incident response team may depend on the particular facts and circumstances, the team is generally led by a member of the IT team and will include other information technology and legal personnel. The incident response team regularly reports to senior management, in the event of a potentially notable incident. A member of the incident response team also reports periodically to the Company's Board regarding cybersecurity incidents impacting us. We use third parties for various services such as property management, enterprise resource planning software and cloud computing. We mitigate potential risks from third parties by assessing cybersecurity practices of new providers, reviewing and monitoring the cybersecurity practices of our major service providers, conducting periodic reviews of the cybersecurity strategy and posture of our other significant providers, and including security terms in our contracts where applicable. We also consider cybersecurity incidents at our third-party providers in our business continuity and disaster recovery planning. Governance Elme's leadership is committed to maintaining a secure environment that upholds high standards of privacy and data protection. The executive team reviews industry specific cybersecurity statistics and updates monthly from the IT team. We have documented control procedures that govern access to sensitive data and changes made to critical business systems. Our CIRP helps ensure timely notification of cybersecurity incidents to management and the Board. Our Senior Director, IT Operations is responsible for the oversight of our cybersecurity programs and has played a key role in the development, enhancement, and oversight of cybersecurity programs in his various roles at the Company for over a decade. The Board is responsible for review and oversight of Elme's cybersecurity risks and the programs and steps implemented by management to assess, manage and mitigate such risks. In the event of a cybersecurity incident, the Board is informed and updated by the incident response team as appropriate. Executive management provides regular updates during board meetings to help ensure that our trustees are informed about the evolving threat landscape and our risk management strategies. The Board receives a cyber update on an annual basis. The Board receives communications via email from management on topics of interest throughout the year. Risks, Threats, and Material Incidents As of December 31, 2025, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, during any of the prior three fiscal years. However, we and our third-party providers have been the target of cybersecurity threats and expect them to continue. Notwithstanding the extensive approach we take to address cybersecurity, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See Item 1A. "Risk Factors" for further discussion of cybersecurity risks. 19

Company Information