Comstock Holding Companies, Inc. - (CHCI)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
To mitigate cybersecurity risks we strive to continually assess and improve our processes and procedures. We engage with industry-leading managed security service providers to supplement our efforts in identifying, assessing, preventing, and responding to cybersecurity threats. We are working to align our information technology operations and information security processes to the National Institute of Standards and Technology’s framework. We have adopted a cloud-first strategy which is a foundational element to our overall cybersecurity posture. For essential systems, we utilize SaaS-based software partners who annually conduct Statement on Standards for Attestation Engagements.
We have adopted a cybersecurity risk management process that is designed to identify and mitigate potential cybersecurity risks and is currently being integrated into our overall enterprise risk management process. We regularly assess our cybersecurity vulnerability by utilizing credible, third-party cybersecurity experts to conduct annual internal penetration tests and monthly vulnerability scans. These threat intelligence and monitoring activities, tests, and scans help us identify potential cybersecurity risks.

We seek to mitigate cybersecurity risks we identify through a variety of methods; however, we acknowledge that even a robust, well-designed information technology control environment may not fully eliminate cybersecurity risk. It is possible that we will be unable to detect certain vulnerabilities in time to remediate them, or that our implemented controls may not operate as intended.

To date, we have not experienced any material cybersecurity incidents. We remain subject to the risks from cybersecurity threats that, if realized, are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition.
Governance
Our Board of Directors considers cybersecurity as part of its risk oversight function. While management is responsible for the day-to-day management of risk, our Board of Directors maintains oversight of management’s implementation of our cybersecurity risk management processes. Our Board of Directors receives briefings on material cybersecurity incidents, as necessary.
Our Vice President of Information Technology provides principal oversight and guidance of our cybersecurity risk management strategy, programs, and processes. The Vice President of Information Technology has over 30 years of experience in information technology, leading organizations through strategic technology and process improvement initiatives, including over 15 years of extensive experience in cybersecurity. He is supported by a team of technical experts who have received formal training and possess relevant experience in addition to managed cybersecurity service providers who specialize in preventing, identifying, and responding to cybersecurity threats.
As part of our annual enterprise risk assessment, technology cybersecurity risks are ranked and reviewed by management. In the event of a cybersecurity incident, the Vice President of Information Technology would prepare a comprehensive assessment for management that summarizes potential and actual impacts and includes any steps needed to remediate the identified issues. If the cybersecurity incident was deemed to be material by management, the Vice President of Information Technology would brief our
8

Board of Directors on the matter, at which time determinations would be made by the Board of Directors on the need to report or disclose the cybersecurity incident to our customers or investors.