Cohen & Steers Income Opportunities REIT, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Cohen & Steers Income Opportunities REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:01:31 EDT.

Filings

10-K filed on 2024-03-14

Cohen & Steers Income Opportunities REIT, Inc. filed an 10-K at 2024-03-14 16:01:31 EDT
Accession Number: 0001939433-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are externally managed by the Advisor, a subsidiary of Cohen & Steers, and representatives of the Company and the Advisor operate the Company s business through Cohen & Steers information systems. Our business is dependent on the effectiveness of our and Cohen & Steers information and cybersecurity policies and procedures to protect our and Cohen & Steers network and telecommunications systems and the data that reside in or are transmitted through such systems. Cybersecurity is a crucial component of our risk management processes and of Cohen & Steers enterprise risk management program. Like many companies, we, Cohen & Steers and our and our external providers have been subject to, and expect to continue to be subject to, a range of cybersecurity threats and risks. Cohen & Steers has invested significant resources into cybersecurity and risk management processes to adjust to the continuing evolution in cybersecurity and respond to related threats. Cohen & Steers has implemented and maintained various information security processes designed to identify, assess and manage material risks from cybersecurity threats to its critical computer networks, third-party hosted services, communications systems, hardware and software and critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and information relating to Advisor clients and investments ( Information Systems and Data ). Cohen & Steers cybersecurity risk management function is led by its Chief Information Security Officer ( CISO ) and Chief Technology Officer ( CTO ) and includes members of its Information Technology ( IT ) department and other personnel that oversee its information security and engineering operations. Input and guidance are also provided by members of its Legal and Compliance departments. Together, these employees (collectively referred to as members of the Cybersecurity Management ) are primarily responsible for developing, implementing and monitoring Cohen & Steers cybersecurity program and reporting on cybersecurity matters to Cohen & Steers senior management as well as our Audit Committee, on behalf of our Board. Members of Cybersecurity Management identify and assess risks from cybersecurity threats by monitoring and evaluating Cohen & Steers threat environment and enterprise risk profile using various manual and automated tools as well as by: (i) utilizing shared information about vulnerabilities and exploits from various professional security organizations, reports or other services that identify cybersecurity threats and through the use of external intelligence feeds (ii) analyzing reports of threats and actors (iii) conducting scans of Cohen & Steers threat environment (iv) evaluating Cohen & Steers and its industry s risk profile (v) evaluating threats that are reported to or discovered by Cohen & Steers (vi) coordinating with law enforcement concerning threats (vii) conducting internal and external audits of the information security control environment and operating effectiveness and (viii) conducting threat assessments for internal and external threats, including through the use of third party threat assessments and vulnerability threat assessments. Cohen & Steers has implemented and maintained various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to Information Systems and Data, including, but not limited to: technical and physical safeguards : (i) systems monitoring, including anti-virus/anti-malware software for workstations and servers, reports about correlated events detected from server log reviews, desktop forensics software and suspicious firewall traffic, firewall logs and alerts from users about blocked websites, systems monitoring of Cohen & Steers websites, network monitoring software alerts and scheduled internal and external vulnerability scans (ii) Cohen & Steers asset management tracking and disposal (iii) incident detection and response (iv) data encryption (v) notification monitoring from Cohen & Steers personnel and from third parties regarding issues and signs of potential incidents and (vi) access controls and network security controls and 78 Table of Contents organizational safeguards : (i) incident response plans that address Cohen & Steers response to a cybersecurity incident (ii) personnel and vendors dedicated to overseeing Cohen & Steers cybersecurity program (iii) periodic mandatory employee cybersecurity training (iv) periodic risk assessments and testing of Cohen & Steers policies, standards, processes and practices that are designed to address cybersecurity threats and incidents, such as audits, tabletop exercises, threat modeling and vulnerability testing (v) policies and programs such as security standards, a vendor risk management program, a vulnerability management policy and disaster recovery and business continuity plans and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents. Cybersecurity risk management processes are integrated into the Board s ongoing evaluation and management of risks that are essential to our success, including as it relates to its oversight of the Advisor. At least annually, our Audit Committee reviews the cybersecurity program of the Advisor. Further, cybersecurity risk management is integrated into the Cohen & Steers overall enterprise risk management process. For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by Cohen & Steers information technology security team (ii) internal and external penetration tests are performed to identify any vulnerabilities and findings are risk ranked based on potential likelihood and impact and (iii) the CTO reports on cybersecurity risk management and related matters annually to the Audit Committee, as part of its ongoing evaluation and oversight of the Advisor s cybersecurity program. Third-party service providers play a key role in Cohen & Steers cybersecurity program. Cohen & Steers uses third-party service providers to assist in identifying, assessing and monitoring material risks from cybersecurity threats, including through penetration testing, provision of threat intelligence and monitoring Cohen & Steers environment 24 hours a day and seven days a week. Cohen & Steers has currently engaged with professional services firms, including legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, penetration testing firms, dark web monitoring firms and cyber insurance brokers and providers. Members of the Advisor s management report key findings of such assessments to our Audit Committee and Cohen & Steers adjusts its cybersecurity policies, standards, processes and practices as necessary based in part on information provided by these assessments and engagements. Cohen & Steers also uses third-party service providers to perform a variety of functions throughout its business, such as application providers, hosting companies and supply chain resources. Cohen & Steers maintains a risk-based approach to identifying and overseeing cybersecurity risks and vulnerabilities presented by its engagement of third parties, including key vendors, service providers and other external users of its information systems, as well as the information systems of third parties that could adversely impact its business in the event of a cybersecurity incident affecting those third-party systems. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue and the identity of the provider, Cohen & Steers vendor risk management program may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. Cohen & Steers vendor risk management program may entail: (i) vendor risk assessments (ii) security questionnaires (iii) vendor audits (iv) vulnerability scans relating to vendors (v) security assessment calls with the vendor s security personnel and Cohen & Steers review of the vendor s written security program, security assessments and other reports (v) provision from the vendor of a System and Organization Controls ( SOC ) 1 or SOC 2 report to evidence cybersecurity preparedness and (vi) the imposition of contractual obligations on the vendor. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the caption We could incur financial losses, reputational harm and regulatory penalties if we or Cohen & Steers fail to implement effective information security policies and procedures. Governance Our cybersecurity risk assessment and management processes are implemented and maintained by members of Cohen & Steers Cybersecurity Management, including its CISO, CTO and Head of IT Infrastructure. Cohen & Steers CISO oversees the information security group and program within its IT department and holds a Bachelor of Arts degree in computer science. The CISO has served in various roles in information technology for over 24 years within the financial services industry, including previously serving as Head of Information Security and Enterprise Infrastructure, Head of IT Audit and Chief Information Security Officer at other companies, and holds the Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certifications and is registered with FINRA for the Series 99. 79 Table of Contents Cohen & Steers CTO oversees the IT department and holds a PhD in computer science, an MBA and Postgraduate Diploma in physics. The CTO has served in various roles in information technology for over 28 years, including senior leadership roles for the investment banking division of a financial services company. Cohen & Steers Head of IT Infrastructure oversees the infrastructure and service desk departments within the IT department and holds a Bachelor of Business Administration degree in finance and computer information systems. The Head of IT Infrastructure has served in various roles in information technology for over 20 years. Members of Cohen & Steers Cybersecurity Management, including the CISO and the CTO, are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into Cohen & Steers overall risk management strategy and communicating key priorities to relevant personnel. Members of Cybersecurity Management, including the CISO and CTO, are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Cohen & Steers cybersecurity incident response plan is a key component of its cybersecurity program. The response plan is designed to report certain cybersecurity incidents to members of Cybersecurity Management, who then work with the Cohen & Steers incident response team to help Cohen & Steers control, mitigate and remediate cybersecurity incidents of which they are notified. In addition, the response plan includes prompt reporting to our Board (or the Audit Committee) of certain cybersecurity incidents and of the materiality and disclosure determinations relating thereto. Our Board has delegated the primary responsibility for oversight and review of the Company s cybersecurity program to the Audit Committee. The Audit Committee actively participates in discussions regarding cybersecurity risk exposures and steps taken by management of Cohen & Steers to monitor and mitigate such risks, further to their responsibility to manage, oversee and remain informed about the most significant risks to Cohen & Steers and align Cohen & Steers risk exposure with our strategic and business objectives. At least annually, the Audit Committee reviews with the Advisor and Cohen & Steers CTO the Cohen & Steers cybersecurity program, including the robustness and efficacy of Cohen & Steers overall cybersecurity program, steps taken to enhance defenses and security measures in place and its established plans to identify, detect and respond to threats Cohen & Steers may encounter. The Audit Committee also annually reviews and discusses with the Advisor cyber insurance coverage. In addition, as necessary, our Board (or the Audit Committee) receives reports and communications from the Advisor regarding material risks and specific developments that may cover topics such as: the Advisor s computerized information system controls the impact of new cybersecurity-related rules and regulations changes in the threat environment including new and emergent risks and evolving information security standards and market practices including with respect to peers and third parties.

Company Information