Extra Space Storage Inc.: 10-K Risk Factor Changes

We face risks related to public health emergencies, such as epidemics and pandemics that could materially and adversely impact our results of operations in the future. The impact of a public health emergency, and measures to prevent the spread of a virus or the underlying causes of a health crisis, could lower demand for storage facilities due to, among other things, stay-at home orders and other restrictions which may lead to lower rental rates, reduced late fee collection and impaired ability to hold auctions resulting in higher accounts receivable and bad debt. In addition, a public health emergency could cause general economic and market disruptions which could impair our ability to expand our business, raise capital and adversely affect the value of our securities. Although the self-storage industry has historically been resilient to ordinary market downturns, the impact of pandemics, epidemics or public health emergencies on the U.S. and world economies generally, and on our future results in particular, could be significant and will largely depend on future developments, which are highly uncertain and cannot be predicted.

We face risks related to public health emergencies, such as epidemics and pandemics, including the COVID-19 pandemic, which impacted our business in 2020, and could materially and adversely impact our results of operations in the future. The impact of a public health emergency, and measures to prevent the spread of a virus or the underlying causes of a health crisis, could lower demand for storage facilities due to, among other things, stay-at home orders and other restrictions which may lead to lower rental rates, reduced late fee collection and impaired ability to hold auctions resulting in higher accounts receivable and bad debt. In addition, a public health emergency could cause general economic and market disruptions which could impair our ability to expand our business, raise capital and adversely affect the value of our securities. Although the self-storage industry has historically been resilient to ordinary market downturns, the impact of the COVID-19 pandemic and other pandemics, epidemics or public health emergencies on the U.S. and world economies generally, and on our future results in particular, could be significant and will largely depend on future developments, which are highly uncertain and cannot be predicted.

We rely on information technology networks and systems, including the Internet, to process, transmit and store confidential information, and to manage or support a variety of business processes, including financial transactions and records, intellectual property, proprietary business information, and personal information of our employees, contractors and customers, such as tenant and lease data (collectively, "Confidential Information"). We also rely on third-party vendors for information technology and services, including commercially available systems, software, tools and monitoring to provide security for the processing, transmission and storage of Confidential Information. Our information technology systems and those of our third-party service providers, strategic partners and other contractors or consultants are vulnerable to attack and damage or interruption from computer viruses and malware (e.g. ransomware), misconfigurations, bugs or other vulnerabilities, malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error fraud, denial or degradation of service attacks, and sophisticated nation-state and nation-state-supported actors. Although we have taken steps to protect the security of our information technology systems and Confidential Information, it is possible that our cybersecurity risk management program and processes, including our policies, safety and security measures will not be fully implemented, complied with or able to prevent such systems’ improper functioning or damage, or the improper accessing or disclosure of Confidential Information, from such security breaches, disruptions, and shutdowns. The costs associated with the investigation, remediation and potential notification of such breaches to counter-parties and data subjects could be material. We and certain of our service providers are, from time to time, subject to cyberattacks and security incidents. While to date, we do not believe that we have experienced any significant system failure, accident or security breach, this risk has generally increased as the number, intensity and sophistication of such breaches and attempted breaches from around the world have increased. Furthermore, because the technologies used to obtain unauthorized access to, or to sabotage or disrupt, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Any failure to maintain the proper functioning, confidentiality, security and availability of our or our third-party service providers' information technology systems or our Confidential Information could interrupt our 11 11 11 operations, damage our reputation, divert significant management attention and resources to remedy any damages that result, subject us to liability and claims or regulatory investigations and enforcement actions, which could result in, among other things, fines and penalties, and have a material adverse effect on our business, financial condition and results of operations. Further, our insurance coverage may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems.

We rely on information technology networks and systems, including the Internet, to process, transmit and store electronic information, and to manage or support a variety of business processes, including financial transactions and records, personally identifiable information, and tenant and lease data. We purchase some of our information technology from vendors, on whom our systems depend. We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential tenant and other sensitive information. Our information technology systems and those of our third-party service providers, strategic partners and other contractors or consultants are vulnerable to attack and damage or interruption from computer viruses and malware (e.g. ransomware), malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error (e.g., social engineering, phishing), fraud, denial or degradation of service attacks, sophisticated nation-state and nation-state-supported actors or unauthorized access or use by persons inside our organization, or persons with access to systems inside our organization. Although we have taken steps to protect the security of our information systems and the data maintained in those systems, it is possible that our safety and security measures will not be able to prevent the systems’ improper functioning or damage, or the improper access or disclosure of personally identifiable information such as in the event of cyber-attacks. Security breaches, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, can create system disruptions, shutdowns or unauthorized disclosure of confidential information. We and certain of our service providers are from time to time, subject to cyberattacks and security incidents. While to date, we do not believe that we have experienced any significant system failure, accident or security breach, this risk has generally increased as the number, intensity and sophistication of such breaches and attempted breaches from around the world have increased. Furthermore, because the technologies used to obtain unauthorized access to, or to sabotage or disrupt, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Any failure to maintain proper function, security and availability of our information systems could interrupt our operations, damage our reputation, divert significant management attention and resources to remedy any damages that result, subject us to liability claims or regulatory penalties and have a material adverse effect on our business and results of operations. Further, our insurance coverage may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems.

In the United States, both federal and various state governments have adopted, or are considering, laws, guidelines or rules for the collection, distribution, use, storage and security of personal information, and we are or may become subject to such obligations with respect to information collected from or about our employees, contractors or customers. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, requires certain businesses that process personal information of California residents to, among other things: provide certain disclosures to California residents regarding the business’s collection, use, and disclosure of their personal information; receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt-out of certain disclosures of their personal information; and enter into specific contractual provisions with service providers that process California resident personal information on the business’s behalf. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, may conflict with one another or other legal obligations with which we must comply, may require us to incur significant costs, implement new processes, or otherwise affect our ability to use and disclose the information we collect, which could affect our results of operations, business, and financial condition. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business, financial condition and results of operations.

In the United States, both federal and various state governments have adopted, or are considering, laws, guidelines or rules for the collection, distribution, use and storage of information collected from or about consumers or their devices. For example, the California Consumer Privacy Act of 2018 ("CCPA") went into effect on January 1, 2020, and creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that has increased the likelihood of, and risks associated with, data breach litigation. Further, the California Privacy Rights Act ("CPRA") generally went into effect in January 2023, and significantly amends the CCPA and will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It also creates a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. Additional compliance investment and potential business process changes may be required. Similar laws have passed in Virginia, Utah, Connecticut and Colorado, and have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to 10 10 10 comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, damage our reputation, and adversely affect our business and results of operations.