KAANAPALI LAND LLC - (KANP)
10-K Filing Date: March 27, 2024
The Company utilizes an affiliated company of Pacific Trail (“IT Provider”), which is a provider of financial services to numerous affiliates of Pacific Trail, which operate in the real estate and financial services industries for its accounting, accounts payable, treasury and related Information Technology (“IT”) and data processing functions. The Company’s financial systems and related controls, procedures, risk management, and including IT systems is integrated with that of the affiliated companies (together the “Affiliated Group”).
Cybersecurity and cybersecurity risk management are important aspects of operations and a focus area for the Affiliated Group. Cybersecurity risks are evaluated on an ongoing basis by the Affiliated Group and its IT Provider, both internally and with the assistance of external firms.
The Company engages a national technology firm in an effort to maintain and continually update its cybersecurity posture and keep current with evolving cybersecurity risks. The IT Provider’s cybersecurity program is examined on a regular basis, and new procedures and tools are adopted on an ongoing basis to address the changing cybersecurity landscape. The IT Provider’s technology team tests the effectiveness of its tools with periodic exercises, including Penetration (PEN) tests. Risk is assessed to identify and manage risks that could affect its ability to provide reliable processing to the Affiliated Group. This process requires IT Provider to identify significant risks based upon the following: (a) management’s internal knowledge of and perceived risks to the IT environment, (b) significant changes to the internal and the third-party vendor IT environments, (c) input received annually from its consultants and external auditors based on its auditor’s review of the IT operating environment, (d) management’s review of Service Organization Controls (SOC) reports received from vendors housing critical applications, (e) regulatory requirements or operating standards that may directly impact the IT environment, and (f) identification of threats and the evaluation of the probability and likelihood of threats. For any significant risks identified, IT Provider’s management is responsible for implementing appropriate measures to monitor and manage these risks, including implementing or revising control procedures, conducting specific consulting projects, and updating systems and processes to ensure compliance,.
As many security threats involve email and social engineering, the IT Provider has a multifaceted security training program for Affiliated Group employees. Cybersecurity training classes are administered at least annually. Testing and assessment of employees’ ability to thwart attacks are performed throughout the year, with training being targeted at areas of users’ weakness.
The Company does not believe that any risks from cybersecurity threats to date, including as a result of any previous cybersecurity incidents of which the Company is aware, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial conditions, however, there can be no assurance in that regard.
19
The management of IT Provider is responsible for directing and controlling operations and for establishing, communicating, and monitoring policies and procedures. The key members of management are the President, (who has over 20 years’ experience in his current position) and is responsible for overseeing delivery of the services, and the Chief Information Officer (“CIO”) (who has over 10 years’ experience in his current position) and is responsible for overseeing the IT environment that supports the services. Importance is placed on maintaining sound internal controls and promoting integrity and the ethical values of the Affiliated Group in all personnel. Organizational values and behavioral standards are communicated to all personnel through policy statements and the Employee Handbook. Additionally, the President and CIO are in daily contact with personnel at all levels and reinforce the Affiliated Group’s policies, procedures, and organizational values.
The IT Provider reports to the President and upper level management of the Affiliated Group as part of the risk management process in which IT Provider management identifies significant risks through discussions with Affiliated Group management and develops responses and mitigating actions to address such risks.