Bluerock Homes Trust, Inc. - (BHM)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. We have an enterprise-wide information security program designed to identify, protect, detect, and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, incoming (external) physical infrastructure with enhanced firmware, continuous employee training, internal reporting, and monitoring and detection tools. We also engage top third-party security providers for applications and infrastructure to identify, prioritize, assess, mitigate, and remediate risks.

56

Our information technology (“IT”) department regularly assess risks from cybersecurity and technology threats and monitors our information systems for potential vulnerabilities. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program, including but not limited to tabletop exercises, penetration and vulnerability testing, red team exercises, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning.

We have implemented incident response and breach management processes which have four overarching and interconnected stages: (i) preparation for a cybersecurity incident, (ii) detection and analysis of a security incident, (iii) containment, eradication, and recovery, and (iv) post-incident analysis. Such incident responses are overseen by our Leadership Committee comprised of our Chief Operating Officer, Chief Financial Officer, General Counsel and Senior Vice President of FP&A.

Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.

As part of the above processes, we regularly engage external resources and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.

Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from key third parties such as vendors, suppliers, and other business partners. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers when handling and/or processing our employee, business, or customer data. In addition, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.

Management has not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. See Item 1A. Risk Factors, “We are highly dependent on information systems and therefore systems failures, cybersecurity incidents or other technology disruptions could negatively impact our business” and “Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer.” above for more information. While we continually work to safeguard the information systems we use, and the proprietary, confidential and personal information residing therein, and mitigate potential risks, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to such systems, networks and data or those of our third-party providers.

Governance

Our Board holds oversight responsibility over our strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board and through its committees. The Audit Committee meets annually to review enterprise security, technology risks and cybersecurity threats, risk assessments and areas of emerging risks, incidents and mitigation strategies, and industry trends.

Our IT department maintains internal and external resources and is led by our IT Manager and assisted by our Risk Assessment/IT Compliance & Enterprise Manager. These two individuals have a combined 40+ years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. The IT department is responsible for the information security of the organization and for the oversight of all cybersecurity infrastructure and programs. The department provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments, and findings.

Our Leadership Committee is responsible for the oversight of risks from cybersecurity threats. The Leadership Committee receive updates on a quarterly basis from leaders of our IT department and compliance and legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity, and data privacy incidents (if any) and status on key information security initiatives. Our Leadership Committee and IT department discuss cybersecurity-related current events and any updates to our cybersecurity risk management and strategy programs.

Management, in coordination with our IT department, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters.

57