SUN COMMUNITIES INC 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

SUN COMMUNITIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:10:44 EST.

Filings

10-K filed on 2025-02-28

SUN COMMUNITIES INC filed a 10-K at 2025-02-28 16:10:44 EST
Accession Number: 0000912593-25-000086

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Our business operations rely on the consistent availability of our communication platforms, enterprise applications, and related systems. We have implemented protocols to ensure the secure collection, storage, and transmission of data and have invested in the development and enhancement of controls designed to prevent, detect, and respond to unauthorized access, computer viruses, malware, data exfiltration, and other threats. We have established an Information Security Management Committee to manage information security in accordance with the ISO 27001 standard to ensure the consistent application of security principles, policy statements and controls. By adhering to this industry standard, we manage and mitigate material risks from threats to our systems and data through the following actions: - Partnering with reputable, recognized security firms - Conducting regular internal and external audits and risk assessments - Providing ongoing employee security awareness training - Conducting tabletop exercises - Running anti-phishing campaigns and simulated phishing exercise - Deploying tools for continuous vulnerability monitoring - Performing penetration testing and continuous system monitoring activities - Conducting recovery simulations for core systems and data centers Our comprehensive policies and procedures address critical areas including: - Vulnerability management - Business continuity planning - Encryption of sensitive data - Backup and recovery 27 SUN COMMUNITIES, INC. - Physical security - User access controls - Vendor risk management - Teleworking protocols - Mobile device management - Comprehensive system monitoring These initiatives collectively reinforce our commitment to safeguarding information and ensuring the resilience of our security infrastructure. Comprehensive contingency and recovery plans are in place to ensure the ongoing provision of services to customers in the event of a cybersecurity incident. These are tested on a regular basis against scenarios of varying degrees by both internal and external resources. To manage vendor risk, we conduct ongoing risk assessments based on the vendor’s published Systems and Operational Controls (“SOC”) reports, information provided in vendor security questionnaires, and any publicly available information including ongoing litigation or external disclosures. As of the time of this filing, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial conditions. Refer to “Risk Factors” in Part I, Item 1A in this Annual Report on Form 10-K under the heading “Cybersecurity breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer,” for additional discussion about cybersecurity related risks. Governance Senior leadership provides the Board of Directors with ongoing security updates, which include notable changes to program plans, changes to the risk environment, information regarding material incidents that may have occurred, third-party audit reports on recent assessments of our security controls, and details regarding forward-looking plans and strategies to mitigate cyber risk. The Audit Committee of the Board of Directors provides oversight and is responsible for assessing risks to our business, in accordance with its charter. The Audit Committee engages in regular conversations with senior leadership about our security systems in order to monitor and mitigate risks from cybersecurity incidents, in accordance with our security principles and protocols. The Chief Information Officer (CIO) and the Director of Information Security are directly responsible for managing cyber risk on a daily basis. The CIO reports to the Chief Administrative Officer (CAO), who oversees the Company’s overall information technology strategy and governance. Executive oversight, spearheaded by the CAO, ensures strategic alignment across the organization. With a wealth of leadership in both public and private sectors, these individuals collectively possess years of invaluable experience in information technology and security. The Information Security Management Committee (ISMC) and Enterprise Risk Management Committees (ERM) meet regularly to provide oversight of cyber risk management functions. Committee composition includes members from cross-functional departments, including technology, innovation, human resources, accounting and finance, internal audit, operations and executive management. Various members of these committees hold industry certifications representing expertise in information security risk and compliance management, including the Certified Information Technology Professional (CITP), Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC) designations. 28 SUN COMMUNITIES, INC.

Company Information