Claros Mortgage Trust, Inc. - (CMTG)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

Our Manager has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of its critical systems and our critical information. Our Manager’s cybersecurity risk management program includes a cybersecurity incident response plan.

Our Manager uses the Center for Internet Security Critical Security Controls as a guide to help identify, assess, and manage cybersecurity risks relevant to our business. This does not imply that our Manager meets any particular technical standards, specifications, or requirements.

Our Manager’s cybersecurity risk management program includes the following key elements:

risk assessments designed to help identify material cybersecurity risks to critical systems, information, services, and our Manager’s broader enterprise information technology (“IT”) environment;
a team comprised of IT and Legal & Compliance personnel of our Manager principally responsible for directing (1) the cybersecurity risk assessment processes, (2) our Manager’s security processes, and (3) our response to cybersecurity incidents;
the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes or those of our Manager;
cybersecurity awareness training of employees with access to our Manager’s IT systems;
a cybersecurity incident response plan; and
a third-party risk assessment process for key service providers.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors – Operational risks, including the risk of cyberattacks, may disrupt our businesses, result in losses and limit our growth.”

Cybersecurity Governance

Our Board has generally delegated the cybersecurity risk oversight function to the Audit Committee. The Audit Committee monitors our Manager’s design and implementation of its cybersecurity risk management program.

Our Manager’s Director of Technology periodically reports to the Audit Committee and provides briefings on cybersecurity risks, our Manager’s cyber risk management program, and, if applicable, known cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. Audit Committee members also receive presentations on cybersecurity topics from our Manager’s Director of Technology or external experts as part of the Board’s continuing education on topics that impact public companies.

50

 

Our Manager’s Director of Technology leads our Manager’s overall cybersecurity function and supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including alerts and reports produced by security tools deployed in our Manager’s IT environment.

 

Our Manager’s Director of Technology is responsible for assessing and managing our Manager’s material risks from cybersecurity threats and has primary responsibility for leading our Manager’s overall cybersecurity risk management program and external IT cybersecurity service providers. Our Manager’s Director of Technology has pertinent related experience in managing IT infrastructure and participates in various industry peer groups and organizations.

Back SEC Filing