American Homes 4 Rent, L.P. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

American Homes 4 Rent, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 14:39:06 EST.

Filings

10-K filed on 2025-02-21

American Homes 4 Rent, L.P. filed a 10-K at 2025-02-21 14:39:06 EST
Accession Number: 0001562401-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We believe that having a strong cybersecurity program, including robust risk management and oversight procedures, is critical to our business success. Our cybersecurity program includes written policies and standards that follow the guidance of well-recognized industry cybersecurity frameworks. 20 Management and Board Oversight We have a dedicated cybersecurity team led by our Vice President of Information Security (“CISO”) , who reports on cybersecurity directly to our Chief Technology Officer (“CTO”), who reports to our Chief Financial Officer (“CFO”). Our CISO has significant experience in cybersecurity and IT compliance, is a member of InfraGard, a national non-profit organization serving as a public-partnership between U.S. businesses and the Federal Bureau of Investigation, and is a member of the Cal Poly Pomona Cyber Security Advisory Council. He has also obtained the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Cloud Security Professional (CCSP), and Certified Chief Information Security Professional (CCISO). Our CTO has over two decades of experience in establishing, administering, and enhancing effective cybersecurity programs for multiple publicly-traded companies. Our CTO and CISO conduct quarterly cybersecurity reviews for our Chief Executive Officer (“CEO”), CFO, and Chief Legal Officer (“CLO”). In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems we use, including systems provided by third party service providers, we utilize a regularly updated incident response plan that was developed taking into account a recognized third-party cybersecurity framework. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the team is generally led by the CISO or another member of the dedicated cybersecurity team, and will include other information technology and legal personnel. The incident response team regularly reports to senior management, including the CEO, CFO, COO and CLO in the event of a potentially significant cybersecurity incident. The CISO or another member of the incident response team also reports to the Company’s Disclosure Committee, which makes determinations regarding SEC reporting obligations related to the cybersecurity incident and consists of senior officers in the operations, finance, and legal functions. The Disclosure Committee also consults with the chair of the Audit Committee of the board of trustees in making determinations regarding applicable SEC reporting requirements. The board of trustees considers cybersecurity as part of its broader consideration of business strategy and enterprise risk management. Our board of trustees has delegated to the Audit Committee the responsibility of overseeing the Company’s risk management program, including the cybersecurity program. The Audit Committee, which consists solely of independent trustees and whose chair has information security experience, receives quarterly updates with respect to the cybersecurity program. As part of its oversight, the Audit Committee may, for example, receive updates regarding assessments of our alignment with certain industry cybersecurity frameworks, our cybersecurity insurance coverage, cybersecurity-related internal controls, cybersecurity training provided to company personnel, results of penetration testing, and revisions to the incident response plan and business continuity plan. The Audit Committee provides regular briefings to the full board of trustees with respect to the Company’s cybersecurity program. Additionally, we provide an annual update on the cybersecurity program to the full board of trustees, which has included our CTO and third-party cybersecurity experts in recent years. As part of our board refreshment efforts in recent years we have focused on adding trustees with cybersecurity risk management experience. Currently four members of our board of trustees have information security experience. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats Our cybersecurity program has four components: (1) prevention and preparation, (2) detection and analysis, (3) containment, eradication, recovery, and reporting, and (4) post-incident analysis and program enhancements. Prevention and Preparation We undertake regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and we implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, we engage a third-party to conduct an external review of our vulnerabilities at least annually. We continue to strengthen our authentication mechanisms including broad adoption of multi-factor authentication and geolocation-based blocking. To support our preparedness, we perform a tabletop exercise at least once a year to test our incident response procedures. We recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of our prevention efforts is training employees on our data privacy and cyber security procedures. For example, new hires receive mandatory privacy and information security training. In addition, current employees must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related awareness activities that we conduct throughout the year. 21 We also recognize that third-parties that provide information systems we use can be subject to cybersecurity incidents that could impact us. To mitigate third party risk, we maintain a Vendor Integrity Code, which is designed to require our third-party vendors to comply with our requirements for maintenance of passwords, as well as other confidentiality, security, and privacy procedures. Third-party IT vendors determined to present a higher risk are also subject to additional diligence such as questionnaires, inquiries, and review of System and Organization Controls (SOC) 1 and 2 reports, when relevant. Detection and Analysis We have implemented controls aligned with industry guidelines and applicable statutes and regulations to identify threats, detect attacks and protect the integrity of our information assets. Our cybersecurity team, with the assistance of an outside cybersecurity firm, continuously monitors for threats to keep our systems secure. Cybersecurity incidents may also be detected through a variety of means, which may include, but are not limited to, employee notification to our IT service center, notification from external parties (e.g., customers, vendors, or service providers), and automated event-detection notifications. Once a potential cybersecurity incident is identified, including a third-party cybersecurity event, the incident response team designated pursuant to the incident response plan follows the procedures set forth in the plan to investigate the potential incident, including classifying the nature and severity of the event. Potentially significant cybersecurity incidents are escalated to the Disclosure Committee, which makes determinations regarding SEC reporting obligations related to the cybersecurity incident. Containment, Eradication, Recovery, and Reporting The incident response team executes our incident response plan to respond to the cybersecurity incident and coordinate resources and communication protocols. The incident response team also directs and coordinates eradication and recovery efforts. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions or validation of files or data that may have been affected. We have also retained an outside cybersecurity firm which would assist with containment, eradication, and recovery efforts, as needed. Further, the Company also maintains cyber risk insurance to provide some coverage for certain risks arising out of data and network breaches, and the Audit Committee annually reviews such coverage. The Company’s incident response plan provides clear communication protocols, including with respect to members of senior management, which may include, depending on the incident’s classification and other circumstances, the CEO, CFO, COO and CLO, the Audit Committee, the Disclosure Committee, and internal and external counsel. In addition, the incident response plan considers communications and reporting to tenants, regulators and law enforcement. Post-Incident Activity After recovery, the Company performs a review of the incident to identify potential enhancements to the cybersecurity program that can mitigate the risk or severity of future incidents. The results of these reviews are shared with management and the Audit Committee. Cybersecurity Risks As of December 31, 2024, we have not had any known instances of material cybersecurity incidents. However, there can be no assurance that our security efforts and measures will be effective or that attempted security incidents or disruptions would not be successful or damaging. In addition, although the Company maintains cyber risk insurance to provide some coverage for certain risks arising out of data and network breaches, there can be no assurance that our cyber risk insurance coverage will be sufficient in the event of a cyber-attack. See “Risk Factors-Risks Related to our Business-If our confidential information is compromised or corrupted, including as a result of a cybersecurity incident, our business operations and reputation could be damaged, which could adversely affect our financial condition and operating results.” 22

Company Information