InPoint Commercial Real Estate Income, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

InPoint Commercial Real Estate Income, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:16:16 EDT.

Filings

10-K filed on 2024-03-15

InPoint Commercial Real Estate Income, Inc. filed an 10-K at 2024-03-15 16:16:16 EDT
Accession Number: 0000950170-24-032205

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Assessment, Identification and Management of Material Risks from Cybersecurity We rely on the cybersecurity strategy and policies implemented by Inland and the Sub-Advisor. Inland s cybersecurity strategy prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Inland s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Inland has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors, and other third parties who entrust us with their sensitive information. Inland s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help our sponsor and Advisor to prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us, our Advisor, and Dealer Manager. Inland s cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks, including those which may impact us, our Advisor, and Dealer Manager, is integrated into Inland s risk management program. In addition, Inland periodically engages with third-party consultants and key vendors to assist it in assessing, enhancing, implementing, and monitoring its cybersecurity risk management programs, including performing penetration testing of Inland s networks, and security assessments of the effectiveness of Inland s information technology environment to identify potential vulnerabilities. Inland s cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities as well as regular phishing simulations for all of the employees of the Advisor and its affiliates. Inland undertakes periodic internal security reviews 38 of its information systems and related controls, including systems affecting personal data and the cybersecurity risks of our Advisor, and Dealer Manager, and our critical third-party vendors (including the transfer agent) and other partners. Inland has established a Computer Security Incident Response Team ( Inland CSIRT ), which aims to manage and mitigate the impact of cybersecurity breach events, including those arising from or impacting our Advisor, Dealer Manager and service providers (including the transfer agent), tenants, borrowers, and other business contacts. Members of the Inland CSIRT include Inland s VP Director of IT Infrastructure & Information Security, who has more than 19 years of experience in information technology security and leads Inland s cybersecurity program, and its Head of Technology Strategy, as well as members of the firm s legal, risk, and communications groups. Inland has established a notification decision framework to determine when the Inland CSIRT will provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including members of our Advisor s management, and our Board and Audit Committee, as appropriate. The Sub-Advisor s cybersecurity program provides a structured approach which serves to promote practices, procedures, and methodologies that seek to appropriately mitigate information security risks on behalf of its investment vehicles and its underlying investors. At all times, the Sub-Advisor seeks to proactively identify potential risks to its business and develop policies and procedures to minimize such risks. The Sub-Advisor has implemented data security policies, which include provisions to limit access to sensitive data only to those who require it to follow a policy of least privilege and an authorization process for those who otherwise request access to data. The Sub-Advisor has also implemented backup and recovery procedures, with backup occurring on a nightly basis and disaster recovery tests conducted on an annual basis. The Sub-Advisor s internal systems are protected by security measures, including hardening policies, firewalls, and disaster recovery tests. In addition, the Sub-Advisor makes use of encryption standards on its systems and requires multifactor authentication for remote access. The Sub-Advisor ensures company-related data is compartmentalized on its employees personal mobile devices and ensures that its employees are trained on and subject to appropriate confidentiality obligations. The Sub-Advisor performs security risk assessments on a monthly basis and additionally conducts internal and external penetration tests on an annual basis. The Sub-Advisor has developed a comprehensive incident response plan and established a Cybersecurity Task Force which leads the effort for enhancing data protection practices and is responsible for administering the cybersecurity policy and determining and implementing the appropriate technical and organizational measures within the firm for the safeguarding of sensitive data. The Director of Information Technology at the Sub-Advisor is primarily responsible for assessing cyber risk and bringing risks to the attention of the other members of the Cybersecurity Task Force. The Sub-Advisor has also engaged a third-party to assist with tasks such as planning incident response plans, conducting tabletop exercises, conducting phishing exams, etc. Oversight of Cybersecurity Risks The Board and our Audit Committee oversee our cybersecurity risk exposures and the steps taken by management to identify, monitor and mitigate cybersecurity risks to align our risk exposure with our strategic objectives. With respect to such cybersecurity risk oversight, our Board and/or our Audit Committee receive periodic reports and/or updates from management on the primary cybersecurity risks facing us and the Advisor, the Sub-Advisor, and the Dealer Manager and the measures we, the Advisor, the Sub-Advisor and the Dealer Manager are taking to mitigate such risks. In addition to such reports and updates, our Board and/or our Audit Committee receive updates from management as to changes to our and the Advisor s, the Sub-Advisor s and the Dealer Manager s cybersecurity risk profile or certain newly identified risks. In the event of an incident, we intend to follow Inland s incident response plan, which outlines the steps to be followed from incident identification, mitigation, recovery and notification to legal counsel, senior leadership and the Board or Audit Committee, as appropriate. Impact of Cybersecurity Risks As of the date of this filing, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, financial condition, results of operations, or cash flows. See Part I, Item 1A, Risk Factors, Risks Related to an Investment in Our Company for more information regarding cybersecurity risks.

Company Information