ACRES Commercial Realty Corp. - (ACR)
10-K Filing Date: March 07, 2024
Cybersecurity Risk Management and Strategy
As an externally managed REIT, our risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of our Manager, a subsidiary of ACRES Capital Corp. ("ACRES"). As such, our Manager participates in ACRES' processes for assessing, identifying, and managing risks from cybersecurity threats, as detailed below.
ACRES upholds a robust cybersecurity initiative, encompassing policies and protocols aimed at safeguarding its systems, operations, and entrusted data, including ours, from potential threats or risks. ACRES employs a range of protective measures within its cybersecurity framework including physical and digital access controls, identity verification, mobile device management software, employee training programs emphasizing cybersecurity awareness and best practices, tools for identifying abnormal activities, and vigilant monitoring of data usage, hardware, and software.
At least annually, ACRES’ third-party cybersecurity compliance consultant conducts a cybersecurity risk assessment. We periodically review reporting on these risks and our cybersecurity threats, the status of our security infrastructure, our risk management activities and the status of, and our responses to, any cybersecurity incidents. We also periodically perform simulations and tabletop exercises. All employees are required to complete training that includes various topics on cybersecurity risk management best practices. Additionally, employees are regularly tested with phishing campaigns reinforcing their awareness of email threats.
Cybersecurity threat risks have not materially affected our company, including our business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see “Item 1A. Risk Factors—Risks Related to Our Operations—Our business is highly dependent on communications and information systems, and systems failures or cybersecurity incidents could significantly disrupt our business, which may, in turn, negatively affect the market price of our common stock and our ability to operate our business” in this report.
Cybersecurity Governance
As described above, ACRES has engaged a third-party IT firm and cybersecurity compliance consultant to whom we have outsourced primary responsibility to oversee, implement and manage our processes and controls to assess, identify, and manage material risks from cybersecurity threats. ACRES management team oversees the work of the third-party IT and cybersecurity compliance consultant and regularly communicates with members of the team. Through the policies and controls described above, including an incident response policy, representatives of the third-party IT firm as well as members of ACRES management team are informed about cybersecurity threats and incidents affecting our information systems and direct our efforts to prevent, detect, mitigate and remediate cybersecurity threats and incidents.
The representatives of our third-party IT firm and cybersecurity compliance consultant who lead our cybersecurity risk management and risk assessment process have experience in managing information systems, developing cybersecurity strategy, implementing information security and cybersecurity programs, identifying and assessing cybersecurity risks and establishing incident response plans.
Our Company’s Board and the audit committee are jointly responsible for overseeing our overall risk assessment and risk management program as well as our Manager’s policies and practices related to our information technology systems, information security and cybersecurity risks. The Company’s Board and the audit committee reviews at least annually our enterprise risks and related risk management program. In addition, the Company’s Board receives periodic reports from our cybersecurity compliance firm on the primary cybersecurity risks that we and our Manager face and the measures we are taking to mitigate such risks. The chair of the audit committee would be notified following any cybersecurity incident meeting specified severity levels, and the Company’s Board would also be expected to review the Manager’s materiality assessment regarding any cybersecurity incident requiring disclosure to the SEC.