SmartStop Self Storage REIT, Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

SmartStop Self Storage REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 16:03:22 EDT.

Filings

10-K filed on 2025-03-12

SmartStop Self Storage REIT, Inc. filed a 10-K at 2025-03-12 16:03:22 EDT
Accession Number: 0000950170-25-037896

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We take a comprehensive approach to cybersecurity and prioritize the security and integrity of our data, including those of our customers and other stakeholders, as a top priority. Our board of directors (in particular our audit committee) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant resources to implement and maintain security measures to meet regulatory requirements and stakeholder expectations, and we intend to continue to make appropriate investments to maintain the security and integrity of our data. There can be no guarantee that our established policies, standards, processes and practices will be properly followed in every instance or that they will be effective at mitigating all cybersecurity threats. Although our risk factors include further detail about the material cybersecurity risks we face, we believe that risks from cybersecurity threats, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business, results of operations, or financial condition. Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management process and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards and best practices. Our cybersecurity program in particular focuses on the following key areas:collaboration, risk assessment, technical safeguards, incident response and recovery planning, third-party risk management, education and awareness, and governance. Collaboration Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and our board of directors in a timely manner. Risk Assessment At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known security vulnerabilities, and other external sources (e.g., reported security incidents that have impacted 33 other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, and make recommendations to improve processes. Our board of directors and members of management, as appropriate, are presented with any updates we make due to our risk assessment. Technical Safeguards We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and other developing cybersecurity practices. Incident Response and Recovery Planning We have established comprehensive incident response and recovery plans and continue to evaluate the effectiveness of those plans. Our incident response and recovery plans address and guide our response to a cybersecurity incident. Third-Party Risk Management We have implemented processes designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in our risk assessments, including information supplied by providers and third parties . In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Education and Awareness We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual certifications of our policies as well as periodic security training to enhance employee awareness of how to detect and respond to cybersecurity threats. Governance Our board of directors delegated to our audit committee oversight of cybersecurity and other information technology (“IT”) risks. Our audit committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the audit committee as necessary regarding any significant cybersecurity incidents. Our IT team, led by our Chief Information Officer, is responsible for assessing and managing our significant risks from cybersecurity threats and has primary responsibility for our risk management process and overall cybersecurity risk management program. This team includes in-house personnel devoted to these efforts, as well as a third-party IT firm, and they collectively have extensive knowledge of the technologies and applications we have adopted to address our cybersecurity risk. In addition, our Chief Information Officer supports our company by staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources; and alerts and reports produced by security tools deployed in the IT environment.

Company Information