Apartment Income REIT, L.P. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

Apartment Income REIT, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 16:14:55 EDT.

Filings

10-K filed on 2025-03-19

Apartment Income REIT, L.P. filed a 10-K at 2025-03-19 16:14:55 EDT
Accession Number: 0001628280-25-013828

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The AIR Operating Partnership takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents . We regularly assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, and tests those systems according to our cybersecurity policies, standards, processes, and practices, which are integrated into our overall approach to enterprise risk management. To protect its information systems from cybersecurity threats, We use various security tools that help it identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. Our cybersecurity program is designed to align with the National Institute of Technology Standards Cybersecurity Framework 2.0, which provides a structured approach for governing, assessing, identifying, and managing material risks from cybersecurity threats. The AIR Operating Partnership’s technology team, under the leadership of our Senior Vice President of Technology and Chief Technology Officer, who has over 30 years of technology management experience, defines an annual work plan designed to maintain strong cybersecurity maturity, set improvement objectives of key controls and systems, including feedback from third-party assessments, and identify and implement on-going investments to replace or upgrade systems or technologies and proactively maintain strong security. As part of our annual planning, management conducts regular tabletop testing of our incident response plan to increase awareness, establish key decision-making criteria, ensure effective communication among key stakeholders, and comply with our disclosure obligations. We also partner with third-party experts to assess the effectiveness of our cybersecurity prevention and response systems and processes (e.g., periodic penetration testing and assessments of IT general controls). We also engage vendors to enhance cybersecurity safeguards and improve incident response and updates or replaces systems and applications as appropriate to improve data processing and storage management and enhance security. To further protect our information systems, we structure and monitor our relationships with third-party service providers and periodically conduct due diligence on their cybersecurity architecture and process design . To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us and we believe are not reasonably likely to have a material adverse effect on us, including its business strategy, results of operations, or financial condition. For additional information on cybersecurity risks and potential related impacts on AIR Operating Partnership, refer to “Our business and operations would suffer in the event of significant disruptions or cyberattacks of our information technology systems or our failure to comply with laws, rules and regulations related to privacy and data protection.” in Part I , Item 1A , Risk Factors. Governance Our Senior Vice President of Technology and Chief Technology Officer, in coordination with other members of AIR Operating Partnership’s management , is responsible for leading the assessment and management of cybersecurity threats. AIR Operating Partnership has implemented a governance program for its cybersecurity efforts. This includes regularly updating privacy notices, terms of use, and lease documents, as well as identifying responsible teammates to facilitate the implementation of cybersecurity priorities. These teammates report regularly to senior management on risk identification, safeguards, and mitigation steps. AIR Operating Partnership has developed and implemented policies to identify and mitigate cybersecurity risks and provides training to teammates at onboarding and annually thereafter. Updates are communicated to all teammates, and actionable guidance is provided when new risks arise. Our Board of Directors (i.e., the Board of Directors of AIR, with AIR as the sole member of the sole member of the General Partner) will receive updates on the AIR Operating Partnership’s cybersecurity profile risk assessment and technology environment and the broader technology landscape as and when appropriate. 16 Table of Content

Company Information