Creative Media & Community Trust Corp - (CMCT)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
The Company’s Cybersecurity Risk Management Approach
The Company utilizes and relies on CIM Group for its IT and IT administration. CIM Group’s cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. CIM Group's cybersecurity risk management policies and procedures include, among other things: enterprise-wide hardware and software management and security controls; employee training; security assessments; penetration testing; security audits and ongoing risk assessments; due diligence on, and monitoring and oversight of, key third-party providers; vulnerability management; and management oversight to assess, identify and manage material risks from cybersecurity threats. CIM Group’s controls leverage the National Institute of Standards and Technology Cybersecurity
47
Framework. CIM Group also utilizes industry and government associations, the results from regular internal and third-party audits and other similar resources to inform its cybersecurity processes and to allocate resources.
In addition, all employees of the Company and CIM Group receive mandatory training on cybersecurity matters upon hiring and annually thereafter, periodic training and information updates that address new cybersecurity threats and trends, and quarterly “phishing” and social engineering testing to evaluate the effectiveness of the cybersecurity training program and raise employee awareness of cybersecurity threats.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents.
For further discussion of cybersecurity risks, see “Item 1A. Risk Factors—Cybersecurity risks and cybersecurity incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our financial results.”
Management Oversight of Cybersecurity Risk Management
CIM Group’s internal processes require escalation of material cybersecurity risks to its management and its Cybersecurity Committee (the “Committee”) for evaluation. The Committee consists of CIM Group’s Chief Technology Officer (the “CTO”), CIM Group’s Chief Compliance Officer (the “CCO”) and representatives from CIM Group’s operations, compliance and accounting departments. The Committee is responsible for CIM Group’s cybersecurity policy and overseeing the activities of CIM Group’s cybersecurity practices, including assessing CIM Group’s risks and controls. The Committee is chaired by the CTO and has more than 30 years of experience in the fields of information technology, cybersecurity and adjacent roles, including serving on cybersecurity advisory councils. In addition, members of the Committee has relevant industry experience in enterprise risk management and compliance. The team responsible for developing and implementing our cybersecurity program collectively holds an MS in Cybersecurity and Information Assurance and have multiple cybersecurity certifications, including CRISC, CISM, CISA, NCSP-NIST, CISSP, CASP+, CySA+ and Security+.
The Committee has established a Cybersecurity Subcomittee (the “Subcommittee”). The Subcommittee consists of, among other individuals, the CCO, the CTO, the chief financial officers of public companies that are subject to the SEC’s cybersecurity rule adopted in 2023 and are managed by CIM Group, including our Chief Financial Officer. The Subcommittee is tasked with assisting CIM Group-managed public companies (that are subject to the SEC’s cybersecurity rules adopted in 2023), including us, in complying with such cybersecurity rules.
The Committee and Subcommittee each conduct both regular quarterly and as-needed meetings throughout the year during which members of the CIM Group’s IT Department provide updates and report on meaningful cybersecurity risks, threats, incidents and vulnerabilities in accordance with the Committee’s and the Subcommittee’s respective reporting frameworks, as well as related priorities, mitigation and remediation activities, financial and employee resource levels, regulatory compliance, technology trends and third-party provider risks. To help inform this reporting framework, CIM Group maintains incident response plans and other policies and procedures designed to respond to, mitigate and remediate cybersecurity incidents based on the potential impact to CIM Group’s business, IT systems, network or data, including data held by third parties, or to the IT or other critical services provided by third-party vendors and service providers.
CIM Group’s personnel responsible for cybersecurity policy comprises of individuals with either formal education and degrees in IT or cybersecurity, or with experience working in IT and cybersecurity, including relevant industry experience in security related industries.
We believe that the processes, policies and procedures established by the Committee and the Subcommittee provide guidance for consistent and effective incident handling and response and set standards for internal notifications and escalations, as well as external notification considerations with respect to a cybersecurity event or incident requiring disclosure or notification in accordance with applicable laws.
Board of Directors Oversight of Cybersecurity Risk Management
The Audit Committee of our Board of Directors has oversight of our cybersecurity risks. The Audit Committee receives quarterly updates from CIM Group with respect to the effectiveness of its cyber readiness and cybersecurity program. This oversight includes briefing and a report by the CTO or CIM Group’s Head of Operations, as well as a discussion of any cybersecurity breaches detected by CIM Group and a summary of, among other things, the current cybersecurity threat landscape, defensibility measures implemented by CIM Group, the health of CIM Group’s information security system,
48
effectiveness of CIM Group’s cybersecurity controls and recoverability and business continuity testing. Pursuant to the Company’s cybersecurity policy, the Audit Committee will be promptly notified of any material cybersecurity incident required to be disclosed under Item 1.05 on a Current Report on Form 8-K and shall oversee the Company’s response to such matter.
49