AFC Gamma, Inc. - (AFCG)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
The Company has no employees and is externally managed by our Manager. Pursuant to the terms of the Management Agreement, our Manager manages, operates and administers our day-to-day operations, business and affairs, subject to the direction and supervision of the Board. The Board recognizes the critical importance of maintaining the trust and confidence of our business partners. The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company’s overall approach to risk management and oversight. The Company and our Manager are committed to protecting the confidentiality of all nonpublic information related to the Company’s borrowers, shareholders and their personnel.
Risk Management and Strategy
As an externally managed company, the Company relies on our Manager’s corporate information technology, accounting and financial reporting platforms, enterprise applications and related systems (our “Information Systems”) in connection with the Company’s day-to-day operations. Our Manager has adopted a written information security program (the “Written Information Security Policy”), which is designed to address applicable requirements under Regulation S-P and the FTC Safeguards Rule. Consequently, the Company also relies on the processes for assessing, identifying, and managing material risks from cybersecurity threats under the Manager’s Written Information Security Policy. The processes include, among other things, maintaining secure digital or physical access to information assets, using manual and automated detection methods for malicious code, due diligence of third-party vendors, and engaging a leading provider of cybersecurity services to assess and manage cybersecurity risk. For third-party service vendors that perform a variety of important functions for our business, we seek to engage reliable, reputable service vendors that maintain cybersecurity programs.
All of the Company’s officers and employees are employees of the Manager and subject to its policies and procedures. Our Manager utilizes a third-party managed & cybersecurity services provider (the “MSSP”) for cybersecurity services, including threat detection and response, vulnerability assessment and monitoring, security incident response and recovery and general cybersecurity education and awareness. Our Manager and the MSSP engage in periodic assessment and training regarding the policies, standards and practices designed to address cybersecurity threats and incidents. Our cybersecurity risk management is integrated into our overall enterprise risk management and shares common methodologies, reporting channels and governance processes that apply across our enterprise risk management
To date, we have not experienced any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company and we are not aware of any cybersecurity threats that are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Risk Factors—General Risk Factors—We rely on information technology in our operations, and security breaches and other disruptions in our systems could compromise our information and expose us to liability, which would cause our business and reputation to suffer.”
Governance
The Company’s Audit and Valuation Committee oversees the Company’s cybersecurity risk management process. The Audit and Valuation Committee has adopted a charter that provides that the Audit and Valuation Committee must periodically review and discuss with the Company’s management team the Company’s guidelines and policies with respect to risk assessment and risk management of cybersecurity and other risk exposures relevant to the Company’s computerized information system controls and security. The Audit and Valuation Committee may receive additional training in cybersecurity and data privacy matters to enable its oversight of such risks. The Audit and Valuation Committee will report to the Board on the substance of such reviews and discussions and, as necessary, recommend to the Board such actions as the Audit and Valuation Committee deems appropriate.
82
As noted above, the Company relies on our Manager’s Information Systems in connection with the Company’s day-to-day operations. The Company relies on the MSSP’s processes for assessing, identifying, and managing material risks from cybersecurity threats.
The Company’s Chief Financial Officer and Treasurer, Chief Legal Officer and Secretary, and Head of IT work collaboratively with other employees of our Manager and the MSSP to ensure the MSSP’s services protect the Company’s Information Systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. These members of the Company’s management team, together with the MSSP, monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Audit and Valuation Committee when appropriate. These members of the Company’s management team meet periodically to assess cybersecurity risks and discuss with the Audit and Valuation Committee. They have gained relevant knowledge, skills and experience in information technology and cybersecurity risk management, including overseeing third-party vendors in such areas, over their careers at the Company or other organizations.