NexPoint Residential Trust, Inc. - (NXRT)
10-K Filing Date: February 27, 2024
The Company’s Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to risk management. Our Adviser maintains cybersecurity policies, standards, processes and practices that are based on recognized security frameworks such as the National Institute of Standards and Technology cybersecurity framework (the “NIST CF”) and the Azure Security Benchmark. In general, our Adviser seeks to address cybersecurity risks of the Company through a comprehensive, cross-functional approach that is focused on continually assessing the Company’s information systems to detect, prevent and mitigate cybersecurity threats and effectively respond to cybersecurity incidents when they occur.
As one of the critical elements of the Company’s overall risk management, our Adviser’s cybersecurity program is focused on the following key areas:
Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which interacts with our Adviser’s Director of Information Technology and Chief Compliance Officer and other members of management of our Adviser that implement and oversee our Adviser’s cybersecurity program.
Risk Assessment: No less frequently than annually, our Adviser completes an assessment to identify potential cybersecurity threats and vulnerabilities to better prioritize and mitigate the Company’s cybersecurity risk. The assessment includes, among other things, evaluating the nature, sensitivity and location of information the Company collects, processes and stores and the resiliency of the underlying technologies, the validity and effectiveness of the Company’s security policies, controls and processes and the cybersecurity preparedness of the third-party vendors used by the Company and our Adviser. To supplement our Adviser’s internal assessment, our Adviser also periodically engages third-party consultants to assess system configurations through configuration review and penetration testing.
Technical Safeguards: Our Adviser deploys technical safeguards that are designed to protect the Company’s and our Adviser’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
42
Incident Response and Recovery Planning: Our Adviser has established and maintains comprehensive business continuity plans that address potential impacts should the information or technology systems become compromised, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management: Our Adviser maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including key vendors, service providers and other external users of the Company’s and the Adviser’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: Our Adviser provides regular, mandatory training for its employees regarding cybersecurity threats as a means to equip its employees with effective tools to address cybersecurity threats, and to communicate our Adviser’s evolving information security policies, standards, processes and practices.
Our Adviser engages in the periodic assessment and testing of our Adviser’s policies, standards, processes and practices that are designed to address the Company’s cybersecurity threats and incidents. These efforts include a wide range of activities, including annual penetration and third-party compliance testing and ongoing internal testing and creation and modification of policies and procedures. The results of the annual assessments are reported to the Audit Committee and the Board, and our Adviser adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and ongoing testing.
The Audit Committee oversees the Company’s risk management policies, including the management of risks arising from cybersecurity threats. The Audit Committee receives presentations and reports on cybersecurity risks, which address a wide range of topics including annual assessments of internal and third-party policies, vulnerability assessments, technological trends and information security considerations arising with respect to the Company and our Adviser. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee discuss the Company’s approach to cybersecurity risk management with our Adviser, including the Adviser’s Director of Information Technology.
The Adviser’s Director of Information Technology, in coordination with relevant senior management and personnel of the Adviser, which includes our Adviser’s Chief Financial Officer, Senior Infrastructure Engineer, and Chief Compliance Officer, work to conceive, implement, and monitor the effectiveness of a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any security incidents in accordance with the Company’s business continuity plan. To ensure the effectiveness of these controls, the Adviser’s technology team continually monitors, hardens, and evolves systems’ security postures to model and mirror various security frameworks such as NIST CSF and Azure Security Benchmark. The Adviser’s Director of Information Technology will promptly notify our General Counsel of any cybersecurity events, with material cybersecurity events promptly communicated to the Audit Committee and publicly disclosed as deemed necessary.
The Adviser’s Director of Information Technology has served in various roles in information technology and information security for 25 years, including serving as Global Technology Manager at a multi-national publicly traded broker-dealer, and 15 years as the Director of Information Technology at a privately held financial services firm. The Adviser’s Director of Information Technology holds an undergraduate degree in biochemistry and has attained numerous information technology certifications over the years including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified network Professional (CCNP). The Adviser’s Senior Infrastructure Engineer has over 20 years industry experience, holds an undergraduate degree in radiology, and has completed various Microsoft related information technology certifications. Combined, our Adviser’s information technology team has over 50 years of experience covering all major aspects of network architecture and management.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, the risk of cybersecurity threats could be significant if the cyber-attack disrupts the Company’s critical operations, service or financial systems. See “Risk Factors - We depend on information systems, and systems failures could significantly disrupt our business, which may, in turn, negatively affect our ability to pay dividends to our stockholders”.
43