BrightSpire Capital, Inc. - (BRSP)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We consider our information technology (“IT”) and information systems to be valuable and vital assets and must be protected as such. We maintain a series of policies and supporting procedures designed to help ensure the security and confidentiality of our IT and information systems and to help ensure that they are properly protected from a variety of threats such as error, fraud, embezzlement, sabotage, terrorism, extortion, industrial espionage, service interruption, and natural disaster. Information is protected according to its sensitivity, value, and criticality with particular focus given to protecting confidential information, such as personal identifying information, unpublished financial results and other data deemed proprietary to us. Our cybersecurity network, including management, employees and service providers, prioritizes protecting and otherwise managing our information assets, and recognizes that information security is an important part of our business.
Our cybersecurity risk management program is a key component of our broader enterprise risk management (“ERM”) infrastructure. Cybersecurity and information security, administered by our Head of IT and BrightSpire IT Partner (each, as defined below), is a key component of our broader ERM program, which includes diverse internal management, financial reporting, legal, compliance and risk management controls, policies and procedures primarily under the supervision of senior management. The results of our ERM layers of management control, risk control and compliance oversight and independent assurances in any given quarter are reviewed with senior management, our Audit Committee (independent directors, primarily responsible for oversight of our overall risk profile and risk management policies) and Board of Directors.
We have focused on the following cybersecurity initiatives.
•Responsible Parties: We engaged a global leader in end-to-end IT solutions (the “BrightSpire IT Partner”) to advance and maintain a comprehensive cybersecurity program. Our cybersecurity program is designed with the BrightSpire IT Partner’s attention to and integration of certain information security standards issued by the SEC, the National Institute of Standards and Technology, and the International Organization for Standardization. We also have a dedicated senior employee to lead IT (“Head of IT”) oversight and functions, together with our Chief Financial Officer, General Counsel (together, the “Information Security Group”) and aforementioned BrightSpire IT Partner. Benefits provided by the Head of IT and BrightSpire IT Partner include a significant reduction in critical vulnerabilities, cost effective governance and risk services, current expertise/awareness to model, adaptation to and mitigation of new threats, leverage of internal team resources to focus on business priorities, and effectively meeting and managing evolving regulatory requirements in real time. Other members of management and team leaders assist in incident response efforts as well.
•Cybersecurity Risk Management (“CRM”) Program: The CRM program includes: (i) implementation of hardware and software infrastructure, primarily cloud based; (ii) “security first” approach to policies, processes and procedures (including general IT and security, information security, business continuity and incident response policies and plans); (iii) employee education, training and periodic testing and patching, including four to six sessions each calendar year (addressing spam, phishing, information security protocols, use of social media); and (iv) assessments of internal resources and diligence of external vendors and systems. Business continuity, disaster recovery and incident response procedures prioritize constant communication and follow a multi-step program including identification, preparation, implementation and resolution.
•Cloud Services: We migrated and maintain our company data and communication services to a leading cloud-based service provider, security systems and protected environment. Employees working from home may only connect and conduct business activities through a virtual private network (VPN).
•Security First Approach: Our cloud-based systems take a security first approach, including: (i) Perimeter Security (firewalls, antivirus, malware); (ii) Network Security (secure remote access, network patch management); (iii) Application Security (patch management, multi-factor authentication); (iv) Endpoint Security (email security/encryption, web filtering & URL defense, mobile device management); and (v) Data Security.
Cybersecurity Systems Review. We regularly review our cybersecurity systems, policies and procedures through a series of channels, including but not limited to our Audit Committee and Board of Directors, the BrightSpire IT Partner, our internal Information Security Group, our independent financial auditor, and outside counsel.
•Our Audit Committee and Board of Directors play an active role in reviewing our cybersecurity initiatives. The BrightSpire IT Partner provides our Board an annual review of our cybersecurity governance and risk management program, security metrics relevant to the period in review (including findings on phishing campaigns and vulnerability patchwork initiatives) and provides the Audit Committee and Board updates regarding the cybersecurity threat landscape (for example, the impact of artificial intelligence). In coordination with the Information Security Group, the General Counsel provides reports of material cybersecurity incidents and cybersecurity threats (if any) at each quarterly meeting of the Audit Committee and Board.
40
•The BrightSpire IT Partner has established itself as a provider of managed services and technology solutions for over two decades, providing 24/7 oversight and services, including continuous testing and vulnerability scanning. The BrightSpire IT Partner also performs annual due diligence of key vendors on a rotating basis (including System and Organization Controls (SOC) report reviews, or alternatively solicit detailed questionnaires to evaluate such vendors cybersecurity preparedness and protections).
•Our Head of IT has over two decades of experience in IT and cybersecurity work and developed and implemented our cybersecurity program with the BrightSpire IT Partner. Together with our Head of IT, the Information Security Group considers current cybersecurity trends and threats, including through discussions with the BrightSpire IT Partner, outside cybersecurity counsel, our independent financial auditor and internal auditor. The Information Security Group undertakes table-top business disruption, disaster recovery and related response strategies and plans on a periodic basis and seeks to review and update applicable policies and procedures at least annually.
No Material Incidents. Since inception in January 2018, we have not experienced any material cybersecurity or information security incidents. We have not incurred any expenses due to material information security incident penalties or settlements.
Cyber Liability Insurance. Through consultant driven data, analytics and peer benchmarking, we secured and maintain specific coverage to mitigate losses associated with cyber-attacks and other information security incidents, addressing both first-party and third-party losses from incident response, cyber extortion, data loss, business interruption, contingent business interruption, regulatory penalties, media liability, social engineering coverage, system failures and bricking/hardware replacement.