Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management. The Company recognizes the critical importance of maintaining the trust and confidence of our tenants and business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company’s overall approach to risk management and oversight. We believe we have built a strong and collaborative risk management culture focused on awareness which supports appropriate understanding and management of our key risks. Each employee is accountable for identifying, monitoring and managing risk within their area of responsibility.

​

The Company maintains cybersecurity prevention and response plans and procedures (the “Cybersecurity Policies”) that set forth the Company’s plan to prevent, manage, report and resolve cybersecurity events. The Cybersecurity Policies set forth the Company’s policies and procedures for cybersecurity event prevention, including the Company’s (i) network and computer systems acceptable use policy, (ii) data backup procedures, (iii) business continuity plan, (iv) data retention policy, (v) disaster recovery plan, (vi) email use and security policy, (vii) network change management procedures, and (viii) password and authentication requirements policy. The Cybersecurity Policies also (i) provide indicators that Company employees should be aware of to recognize a cybersecurity event, (ii) outline the roles and responsibilities for Company employees and other third parties with respect to the Company’s cybersecurity incident response team (“CSIR Team”), (iii) set forth the steps to take in response to a cybersecurity incident, including

reporting the incident, investigating the incident, preserving non-affected systems and data, informing, as appropriate, Senior Management (as defined below), insurance carriers, law enforcement and other parties that may be affected by the incident and (iv) include the processes for maintaining business continuity.

​

The Company’s President and Chief Executive Officer, Chief Financial Officer and Treasurer, Chief Operating Officer and General Counsel and Secretary (“Senior Management”) are responsible for assessing and managing cybersecurity risks with the support of the entire CSIR Team, led by the Director of Operations/Risk Management. The Director of Operations/Risk Management is the primary lead for monitoring the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and ensuring that the Cybersecurity Policies are followed. Senior Management works collaboratively with the Director of Operations/Risk Management and the entire CSIR Team to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Cybersecurity Policies. The CSIR Team also includes a third-party, on-demand IT support team, a Primary IT Support Contact, who is the technical response lead, a Primary Communications Contact responsible for handling external communications during and after an incident, as well as other delineated primary contacts in areas including, but not limited to, HR, Legal, Accounting, Asset Management and Acquisitions.

​

Pursuant to the Cybersecurity Policies, information security incidents must be reported, without delay, to the IT support team or the Director of Operations/Risk Management, who will then advise Senior Management of the incident. Senior Management will then report such threats and incidents to the Audit Committee, when appropriate.

​

The members of Senior Management each hold degrees in their respective fields and combined have approximately 30 years or more of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.

​

Risk Management and Strategy

​

The Company’s cybersecurity program is focused on the following key areas:

​

​

​

​

​

​

The Company engages in the periodic assessment and testing of its policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of the Company’s

cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on its cybersecurity measures, including information security materiality assessments and independent reviews of the Company’s information security control environment and operating effectiveness. The results of such assessments and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and reviews.

The Company’s cybersecurity program is focused on the following key areas:

​

​

​

​

​

​

​

Governance

​

The Board, in coordination with the Audit Committee, oversees the Company’s cybersecurity risk management process. The Audit Committee has adopted a charter that provides that the Audit Committee has duties and responsibilities with respect to the oversight of the Company’s cybersecurity risk protocol (which includes oversight of risk assessment, risk management plan and process to control/monitor, business continuity plan, incident response, and disaster recovery).

​

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information.

​

To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. We face certain ongoing cybersecurity risks that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - We, our tenants, and our property managers face risks associated with security breaches through cyber-attacks, cyber-intrusions, or otherwise, as well as other significant disruptions of information technology networks and related systems.”