Greystone Housing Impact Investors LP - (GHI)
10-K Filing Date: February 22, 2024
Risk Management and Strategy
Partnership management considers risks from cybersecurity threats as a component of its entity-wide risk assessment that includes various processes and procedures to assess, identify, and manage material risks. The Partnership uses a variety of information technology solutions in the operation of its business, all of which are maintained by reputable third-party providers, including an information technology managed services system provider that is an affiliate of Greystone.
Management regularly reviews material technology services used, the population of technology service providers, and material and/or sensitive financial and operational data, and then assesses the material risks from cybersecurity threats associated with these items. Management has developed processes, procedures, and internal controls to address materials risks focusing on application security (levels of access, passwords, etc.), system change controls, and operations processing. The design and operating effectiveness of internal controls are subject to testing annually by the Partnership’s internal audit function.
Management has also developed procedures to assess the operations and internal controls of material service providers through the use of questionnaires, reviews of available policy statements, and evaluation of System and Organization Controls assurance reports, which are assessed in the aggregate to determine if the service providers have adequately addressed the risks of cybersecurity threats within their operations. The overall assessment includes an evaluation of a service provider’s breach notification policies and procedures and any reported cybersecurity incidents. Management is not aware of any cybersecurity incidents at any of its service providers that have materially affected or are reasonably likely to materially affect the Partnership’s operations.
Notwithstanding the extensive approach the Partnership takes to cybersecurity in conjunction with Greystone, the Partnership may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Partnership. See “Item 1A. Risk Factors,” for a discussion of cybersecurity risks.
Governance
Certain employees of Greystone Manager that provide services to the Partnership are responsible for assessing and managing material risks from cybersecurity threats and are overseen by the Partnership’s Chief Financial Officer. The Chief Financial Officer and relevant Greystone Manager employees collectively have over 20 years of experience in information technology risk assessment and audit evaluations. These individuals will also consult with experts from Greystone’s affiliate that provides information technology managed services systems, particularly the Chief Information Security Officer (“CISO”) of the Greystone affiliate, when assessing and evaluating risks of cybersecurity threats. These consultations with the CISO typically encompass a broad range of topics, including the current cybersecurity landscape and emerging threats; the status of ongoing cybersecurity initiatives and strategies; incident reports and learnings from any cybersecurity events; and compliance with regulatory requirements and industry standards.
The Partnership has established incident response procedures to be followed in the event of a cybersecurity incident that is overseen by the Partnership’s Chief Executive Officer and Chief Financial Officer. The Chief Executive Officer and the Chief Financial Officer are notified of cybersecurity incidents as soon as the Partnership receives notification from a third-party service provider or is informed by other means, and will determine if additional internal and/or external resources are needed to evaluate, mitigate, and
36
remediate the cybersecurity incident. At a minimum, the Board of Managers will be notified of material cybersecurity incidents prior to any public announcement and will receive updates on material developments and remediation activities.
The Board of Managers considers risks from cybersecurity threats in conducting its oversight of the Partnership’s overall risk assessment, primarily through the activities of the Audit Committee of the Board of Managers. The Chief Financial Officer reports to the Audit Committee the results of the evaluation of risks from cybersecurity threats, the process, procedures and internal controls designed to address such risks, and other relevant information needed for the Audit Committee to operate its oversight responsibilities. The Partnership’s internal audit function reports to the Audit Committee annually the results of its assessment of design and operating effectiveness testing of internal controls. In addition, the Audit Committee conducts an annual review of the Partnership’s cybersecurity posture and the effectiveness of its risk management strategies. This review assists in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework of the Partnership.
Additional third parties, contracted with by our third-party service providers, also play a role in the Partnership’s overall cybersecurity. Our third-party service providers engage with a range of additional third-party service providers and external experts, including cybersecurity assessors, consultants, and auditors, to evaluate and test their risk management systems. These services include, but are not limited to, penetration testing, independent audits, and consulting on best practices to address new challenges, and also include testing both the design and operational effectiveness of our security controls. These engagements enable our service providers to leverage specialized knowledge and insights, ensuring cybersecurity strategies and processes remain at the forefront of industry best practices.
Risks from Cybersecurity Incidents
The Partnership has not encountered a cybersecurity incident that has materially impaired our operations or financial condition.