Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Strategy and Risk Management

To mitigate cybersecurity risks we have adopted a process of continuous improvement and adaptation to the ever-changing threat landscape. As part of this process, we engage with industry-leading managed security service providers to supplement our efforts in preventing, identifying and responding to cybersecurity threats. Our information technology operations, information security processes and CIRP are generally aligned with the National Institute of Standards and Technology’s framework.

We have adopted a cloud-first strategy which is a foundational element to our overall cybersecurity posture. For essential systems, we utilize SaaS-based software partners who annually conduct Statement on Standards for Attestation Engagements SOC 1 or SOC 2 assessments, as appropriate, based on functional use within our company. Based on the nature of services provided by our technology partners, our third-party risk management process may include:

●

Reviewing cybersecurity practices of such provider;

●

Contractually obligating the provider to share detailed results of cybersecurity assessments on an annual basis;

●

Contractually obligating the provider to make us aware of significant cybersecurity related incidents; and

●

Coordinating independent security assessments with the provider utilizing our own resources.

Cybersecurity Risk Management

We have adopted a cybersecurity risk management process that is designed to identify and mitigate potential cybersecurity risks. On an annual basis, we work with credible, third-party cybersecurity experts to assess our ability to prevent, identify, and respond to cybersecurity threats through internal and external penetration tests and monthly vulnerability scans. We also test our organizational cybersecurity capabilities through facilitated tabletop exercises which simulate real life scenarios. Together with the findings of the SOC 1 and 2 assessments, and our threat intelligence and monitoring activities, these exercises, tests and scans help us identify potential cybersecurity risks.

We seek to mitigate cybersecurity risks we identify through a variety of methods, including:

●

When practical and necessary, we patch vulnerabilities that are identified.

●

We deploy endpoint detection and monitoring technologies to identify potential cybersecurity incidents, which have capabilities to automatically isolate and terminate vulnerabilities.

●

We utilize industry leading tools and controls for user management, authentication, and privileged access management.

●

We back up our systems and data to mitigate the impact of a cybersecurity event that would impact our ability to operate or result in the loss of data.

●

We partner with strategic managed cybersecurity service providers to supplement the capabilities of our internal team.

●

We periodically test, evaluate and refine our CIRP in response to identified risks.

●

To manage the third-party cybersecurity risk introduced by our cloud-first strategy, we have implemented a due diligence process for new software partners as well as an annual review process for essential SaaS system partners.

●

We conduct cybersecurity awareness training annually and simulated phishing campaigns no less than quarterly to test and educate our employees.

Notwithstanding the steps we take to address cybersecurity, we may not be successful in preventing or mitigating all cybersecurity incidents or threats.

Cybersecurity Risk Management Processes Integrated [Text Block]

To mitigate cybersecurity risks we have adopted a process of continuous improvement and adaptation to the ever-changing threat landscape. As part of this process, we engage with industry-leading managed security service providers to supplement our efforts in preventing, identifying and responding to cybersecurity threats. Our information technology operations, information security processes and CIRP are generally aligned with the National Institute of Standards and Technology’s framework.

We have adopted a cloud-first strategy which is a foundational element to our overall cybersecurity posture. For essential systems, we utilize SaaS-based software partners who annually conduct Statement on Standards for Attestation Engagements SOC 1 or SOC 2 assessments, as appropriate, based on functional use within our company. Based on the nature of services provided by our technology partners, our third-party risk management process may include:

●

Reviewing cybersecurity practices of such provider;

●

Contractually obligating the provider to share detailed results of cybersecurity assessments on an annual basis;

●

Contractually obligating the provider to make us aware of significant cybersecurity related incidents; and

●

Coordinating independent security assessments with the provider utilizing our own resources.

Cybersecurity Risk Management

We have adopted a cybersecurity risk management process that is designed to identify and mitigate potential cybersecurity risks. On an annual basis, we work with credible, third-party cybersecurity experts to assess our ability to prevent, identify, and respond to cybersecurity threats through internal and external penetration tests and monthly vulnerability scans. We also test our organizational cybersecurity capabilities through facilitated tabletop exercises which simulate real life scenarios. Together with the findings of the SOC 1 and 2 assessments, and our threat intelligence and monitoring activities, these exercises, tests and scans help us identify potential cybersecurity risks.

We seek to mitigate cybersecurity risks we identify through a variety of methods, including:

●

When practical and necessary, we patch vulnerabilities that are identified.

●

We deploy endpoint detection and monitoring technologies to identify potential cybersecurity incidents, which have capabilities to automatically isolate and terminate vulnerabilities.

●

We utilize industry leading tools and controls for user management, authentication, and privileged access management.

●

We back up our systems and data to mitigate the impact of a cybersecurity event that would impact our ability to operate or result in the loss of data.

●

We partner with strategic managed cybersecurity service providers to supplement the capabilities of our internal team.

●

We periodically test, evaluate and refine our CIRP in response to identified risks.

●

To manage the third-party cybersecurity risk introduced by our cloud-first strategy, we have implemented a due diligence process for new software partners as well as an annual review process for essential SaaS system partners.

●

We conduct cybersecurity awareness training annually and simulated phishing campaigns no less than quarterly to test and educate our employees.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our Chief Information & Technology Officer along with our Vice President of Cybersecurity & Cloud Infrastructure provide principal oversight and guidance of our cybersecurity risk management strategy, programs and processes. The Chief Information & Technology Officer has over 20 years of experience in information technology in the real estate sector, leading organizations through strategic technology and process improvement initiatives. The Vice President of Cybersecurity & Cloud Infrastructure has over 15 years of extensive experience in cybersecurity and information technology. They are supported in their efforts by a team of technical experts who have had formal training and possess relevant industry related experience in addition to managed cybersecurity service providers who specialize in preventing, identifying, and responding to cybersecurity threats.

The Audit Committee of our Board of Trustees provides board-level governance and oversight regarding cybersecurity matters. Management meets with the Audit Committee periodically to discuss cybersecurity strategy, risk, trends, and internal personnel and qualifications. As part of our annual enterprise risk assessment, technology and cyber risks are standing risk factors which are ranked and reviewed by management.

In the event of a cyberattack, we engage our CIRP, which provides a framework of processes and procedures related to identifying, categorizing, responding, containing, analyzing, and eradicating cybersecurity threats to mitigate downtime and promptly restore systems and services. Management has responsibility for reporting cybersecurity incidents to the Audit Committee as they occur, if consistent with our CIRP. The CIRP also addresses management's responsibility, with Audit Committee oversight, with respect to any reporting or disclosure determinations related to a given cybersecurity incident and provides for Audit Committee and Board of Trustee briefings as appropriate.

Risks, Threats and Material Incidents

As of December 31, 2024, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. However, we and our third-party providers have been the target of cybersecurity threats and expect them to continue. Notwithstanding the extensive approach we take to address cybersecurity, there can be no assurance that our cybersecurity efforts and measures will be effective or that attempted cybersecurity incidents or disruptions would not be successful or damaging. See Item 1A “Risk Factors” - Risks Related to Our Business and Operations - The occurrence of cyber incidents, or a deficiency in our cybersecurity, or the cybersecurity of our service providers, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information, regulatory enforcement and other legal proceedings, and/or damage to our business relationships, all of which could negatively impact our financial results.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Management meets with the Audit Committee periodically to discuss cybersecurity strategy, risk, trends, and internal personnel and qualifications.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Chief Information & Technology Officer has over 20 years of experience in information technology in the real estate sector, leading organizations through strategic technology and process improvement initiatives. The Vice President of Cybersecurity & Cloud Infrastructure has over 15 years of extensive experience in cybersecurity and information technology.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true