Elme Communities 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

Elme Communities reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:03:51 EST.

Filings

10-K filed on 2025-02-14

Elme Communities filed a 10-K at 2025-02-14 16:03:51 EST
Accession Number: 0000104894-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY We are committed and focused on cybersecurity and seek to ensure the safeguarding of data entrusted to us. Our cybersecurity strategy combines prevention with resiliency and continuous improvement to help enhance our organization’s cyber posture. We regularly reevaluate the threat landscape and evolve our strategies to address new threats. In addition to regularly refining our protection methodology, we focus on identification of, response to, and recovery from a cyber-attack. Our program employs 24 the strengths of people, processes, and technology to protect resident, employee, and organization data. Cybersecurity Risk Management Processes Our cybersecurity policies, processes and practices are informed by well-recognized security frameworks such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The NIST framework and others provide a robust set of guidelines and leading practices, enabling us to identify, protect, detect, respond, and recover from cyber threats and potential cybersecurity incidents. Regularly benchmarking our cybersecurity measures against the NIST framework helps ensure that our protocols remain robust and current in the face of evolving cyber threats. Our Cybersecurity Risk Management (“CRM”) processes are ingrained in our overall ERM process. As part of our ERM process, department leaders identify, assess and evaluate risks impacting Elme and its operations across several pillars corresponding to significant business processes, including those risks related to cybersecurity. The IT department reviews risks, threats, and trends related to cybersecurity on a daily basis and formally discusses the Company’s cybersecurity strategy on a weekly basis. We evaluate the methods, procedures and initiatives that reduce identified inherent risks and the residual risk to the Company. The identified risks and the processes we use to manage these risks are presented to the executive team and the Board on at least an annual basis. We report results of our ERM process, along with an assessment of top risks and corresponding risk management strategy, to the Board. Cybersecurity is a distinct pillar of our ERM process. To manage these risks, we take various actions, including the following: - Require an annual user awareness and education program in which new and existing employees complete assessments to benchmark their awareness of cybersecurity threats and leading practices, - conduct regular email phishing tests with additional training provided to employees who fail the tests, - perform in-house vulnerability management and third-party network penetration testing, - secure insurance coverage for cybersecurity incidents, - routinely benchmark our cybersecurity practices against well-recognized frameworks, - conduct incident response tabletop exercises to test our security countermeasures and incident response program, - engage a third-party firm to audit our cybersecurity procedures , and - engage a third-party Managed Security Service Provider to perform network and endpoints monitoring. These actions help us identify opportunities for improvement in our incident preparedness and response processes. In the event of a cybersecurity incident, we maintain a regularly tested cybersecurity incident response program (“CIRP”). Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program enhancements. While the personnel assigned to an incident response team may depend on the particular facts and circumstances, the team is generally led by the Chief Information Officer (“CIO”) or another member of the IT team and will include other information technology and legal personnel. The incident response team regularly reports to senior management, in the event of a potentially notable incident. The CIO or another member of the incident response team also reports periodically to the Company’s Board regarding cybersecurity incidents impacting us. We use third parties for various services such as property management, enterprise resource planning software and cloud computing. We mitigate potential risks from third parties by assessing cybersecurity practices of new providers, continually reviewing and monitoring the cybersecurity practices of our major service providers, conducting periodic reviews of the cybersecurity strategy and posture of our other significant providers, and including security terms in our contracts where applicable. We also consider cybersecurity incidents at our third-party providers in our business continuity and disaster recovery planning. Governance Elme’s leadership is committed to maintaining a secure environment that upholds high standards of privacy and data protection. The executive team reviews industry specific cybersecurity statistics and updates monthly from the IT team. We have documented control procedures that govern access to sensitive data and changes made to critical business systems. Our CIRP helps ensure timely notification of cybersecurity incidents to management and the Board. Our CIO has been responsible for the development, enhancement, and oversight of cybersecurity programs in her role as a CIO for over a decade at two publicly traded real estate companies. She is a member of the Real Estate Cyber Consortium, the 25 National Multi Housing Council Data Privacy, Security, and Information Management Committee, and the RE-ISAC Cybersecurity Working Group. The Board is responsible for review and oversight of Elme’s cybersecurity risks and the programs and steps implemented by management to assess, manage and mitigate such risks. In the event of a cybersecurity incident, the Board is informed and updated by the incident response team as appropriate. Executive management provides regular updates during board meetings to help ensure that our trustees are informed about the evolving threat landscape and our risk management strategies. The Board receives a cyber update from the CIO on an annual basis. The Board receives communications via email from the CIO on topics of interest throughout the year. Risks, Threats, and Material Incidents As of December 31, 2024, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, we and our third-party providers have been the target of cybersecurity threats and expect them to continue. Notwithstanding the extensive approach we take to address cybersecurity, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks. 26

Company Information