Invitation Homes Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Invitation Homes Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 15:15:47 EST.

Filings

10-K filed on 2025-02-27

Invitation Homes Inc. filed a 10-K at 2025-02-27 15:15:47 EST
Accession Number: 0001687229-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our operations are highly dependent upon information systems that support our business processes. In the ordinary course of our business, we collect and store certain confidential information such as personal information of our residents and associates and information about our business partners, contractors, vendors, and suppliers. Cyber intrusions could seriously compromise our networks and the information stored therein could be accessed, publicly disclosed, misused, lost, or stolen. As such, we have established information security processes and policies using principles from industry recognized cybersecurity frameworks focused on: (i) developing organizational understanding to manage cybersecurity risks; (ii) applying safeguards to protect our systems; (iii) detecting the occurrence of a cybersecurity incident; (iv) responding to a cybersecurity incident; and (v) recovering from a cybersecurity incident. Where appropriate, these processes and policies are integrated into our overall risk management systems and processes. Information technology and data security, particularly cybersecurity, are areas of focus for our board of directors and its audit committee. We employ a multi-layered security model that leverages risk-based controls with a focus on protecting our residents’ and associates’ data. We follow a cloud-first approach to enable efficient scaling, robust business continuity, and access to the latest technology innovations. 50 Our cybersecurity risk management program aims to protect and preserve the confidentiality, integrity, and continued availability of our residents’ and associates’ data and includes controls and procedures for the identification, containment, and remediation of cyber threats. Our cybersecurity risk management program includes, among other key features: - regular cybersecurity risk assessments; - detection and reporting of any cybersecurity events; - independent strategy consultation on enhancement items and processes for cybersecurity tabletop exercises; - robust information security training program that includes annual information security training for all associates, as well as additional role-specific information security training; and - cyber incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident to executive leadership and our board of directors. We assess our cybersecurity risk management program at least annually and regularly review our cyber incident response plan. Our processes and policies also include the identification of those third-party relationships which have the greatest potential to expose us to cybersecurity threats. We also partner with industry leading third parties for regular security audits to ensure we view cybersecurity with a holistic perspective. Our cybersecurity risk management processes are a key element of our Enterprise Risk Management (“ERM”) process, which is designed to identify and evaluate the full range of significant risks to our business and operations. As part of our ERM program, our functional and operations departments identify and manage enterprise risks on an annual cycle. The process consists of structured reviews, discussions, and mitigation planning and includes risks identified by our Cybersecurity Governance Committee and information technology and cybersecurity functions as part of the overall review of significant enterprise risks. The top ERM risks are compiled annually and shared with the audit committee of the board of directors as well as the full board of directors. In addition, internal audit incorporates these risks into its continuous risk assessment process. Where appropriate, we seek to include in contractual arrangements with certain of our third-party vendors provisions addressing best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit, and test such vendors’ cybersecurity programs and practices. We also utilize a number of digital controls to monitor and manage third-party access to internal systems and data. We expect that our cybersecurity risk management processes and strategy will continue to evolve as the cybersecurity threat landscape evolves. As a backstop to our strong information security programs, policies, and procedures, we purchase a cybersecurity risk insurance policy that would defray the costs of an information security breach, if we were to experience one. Like other businesses, we have been, and expect to continue to be, subject to attempts at unauthorized access, mishandling or misuse, computer viruses or malware, cyber-attacks and intrusions, and other events of varying degrees. To date, we have not experienced a material security breach, nor are we aware of any third-party outside service providers that have experienced a cybersecurity breach. As a result, we have not incurred any significant expenses from information security breaches or any penalties or settlements related to the same. As of December 31, 2024, we do not believe that any risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, our results of operations, or our financial condition. For a discussion of risks from cybersecurity threats that could materially affect us, please see Part I. Item 1A. “Risk Factors - Risks Related to Information Technology, Cybersecurity, and Data Protection.” Governance Since August 2020, our Vice President, Chief Information Security Officer (" CISO “) has led a team of information security professionals who have the first line responsibility for our cybersecurity risk management processes and activities. Our CISO has more than 20 years of experience as an information security leader responsible for assessing and managing cybersecurity programs. He reports directly to our Executive Vice President, Chief Information and Digital Officer, who 51 reports to our Chief Executive Officer, has over 25 years of experience managing global information technology operations, including strategy, application, infrastructure, information security, support, and execution. In performing his role, our CISO regularly performs the following: review of enterprise cybersecurity risks, controls, program policy, processes, and training; oversight of policy and program development, implementation, and updates; and information to senior leadership about cybersecurity-related issues and activities affecting the organization. Our CISO is regularly apprised of enterprise cybersecurity events, threats, and activities, including with respect to incidents, protection vulnerabilities, software update needs, and lifecycle status. He possesses a deep understanding of evolving cybersecurity threats, technologies, and industry best practices to identify cybersecurity risks and threats and assess and guide mitigation strategies effectively. Relevant cyber certifications include Certified Information Systems Security Professional and Certified Information Security Manager. Certifications of our cybersecurity professionals include, but are not limited to: Certified Information Systems Security Professionals from the International Information System Security Certification Consortium; Certified Information Security Manager from Information Systems Audit and Control Association; and focused training/certifications from security vendors on the applications utilized in the management of our cybersecurity program. The certifications mentioned above are accompanied by multiple years of direct experience in cybersecurity which provide the framework for the team’s continuous learning of new technologies, processes, trends, and concepts, with additional training obtained through relevant cybersecurity focused conferences. We have implemented a robust cybersecurity risk governance model, including the formation of the Cybersecurity Governance Committee chaired by our CISO and composed of key leaders from stakeholder groups throughout our company including our President and Chief Operating Officer, Chief Legal Officer, Chief Compliance Officer, and the head of internal audit, along with other senior members of management. Experience of key members of the committee includes: - Our President and Chief Operating Officer, who joined the Company as Chief Operating Officer in November 2017 and has served in his current role since March 2023, has over 25 years of commercial and strategic leadership experience. He excels at identifying and mitigating operational risks, including cybersecurity threats that could disrupt critical business processes. His contributions to the Cybersecurity Governance Committee include aligning cybersecurity initiatives with broader business strategies and ensuring cybersecurity considerations are integrated into information technology infrastructure and operations. - Our Chief Legal Officer, serving since August 2015, brings extensive experience as the top legal executive across various organizations. At Invitation Homes, he oversees all legal and regulatory affairs, including direct supervision of the risk management department. His expertise includes advising on governance frameworks, supporting board oversight of cybersecurity risk management, and addressing litigation trends and risks associated with cybersecurity breaches. - Our Chief Compliance Officer, who joined the Company in July 2016 and has served in her current role since July 2024, is an experienced public company counsel with over 20 years of combined private practice and in-house experience. She provides expertise in SEC regulations and disclosure requirements, including cybersecurity-related guidance, and ensures compliance with legal standards for disclosing material cybersecurity risks and incidents. In collaboration with internal audit, she helps oversee our ERM program to align cybersecurity initiatives with broader business strategies. She also brings a thorough understanding of breach notification requirements and regulatory responses to cybersecurity incidents. - Our Vice President of Internal Audit, serving since November 2017, brings specialized expertise in identifying internal threats and potential fraud related to cybersecurity through advanced audit techniques. She is skilled in aligning cybersecurity risk assessments with our ERM framework and monitoring the implementation of cybersecurity audit recommendations to ensure their effectiveness over time. The Cybersecurity Governance Committee meets quarterly to review the processes and performance indicators related to prevention, detection, mitigation, and remediation of cybersecurity incidents that could adversely impact business operations. We maintain a cross-functional cyber incident response plan with defined roles, responsibilities, and reporting protocols, which focuses on responding to and recovering from any significant breach as well as mitigating any impact to our business. Generally, when a breach or suspected breach is identified, the information security team would escalate the issue to the Cybersecurity Governance Committee for initial analysis and guidance. The Cybersecurity Governance Committee, in 52 consultation with appropriate subject matter experts, would be responsible for determining whether a particular incident alone or in combination with other factors, triggers any reporting and/or further notification responsibilities. The Cybersecurity Governance Committee would designate the primary manager of a cybersecurity incident, identify the parties who should be informed about the incident, and oversee the processes for containment, eradication, recovery, and resolution of the incident. Depending on the severity and impact of a cybersecurity threat, the audit committee and the board of directors would be notified of an incident and kept informed of the mitigation and remediation efforts. Our CISO and other senior members of information technology personnel regularly report to the audit committee and the board of directors on recent trends in cyber risks and review our strategy to defend our business systems and information against cyber-attacks. From time to time, outside advisors may be invited to brief the audit committee on the current cybersecurity threat landscape and other related topics. Our board of directors has an advanced understanding of its role and that of management in cyber-risk oversight and is well-positioned to guide management in the development and implementation of an effective cybersecurity risk program. Two members of our audit committee hold cybersecurity certifications: Ms. Sears holds a Cyber Risk and Strategy Certification from Diligent Institute; and Ms. Barbe holds a CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors. As part of its overall risk oversight activities, with respect to cybersecurity risk management, the audit committee: - oversees the quality and effectiveness of our policies and procedures with respect to our information technology and network systems; - provides oversight on our policies and procedures in preparation for responding to any material data security incidents; and - oversees management of internal and external risks related to our information technology systems and processes.

Company Information