Lument Finance Trust, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Lument Finance Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:50:31 EDT.

Filings

10-K filed on 2024-03-15

Lument Finance Trust, Inc. filed an 10-K at 2024-03-15 16:50:31 EDT
Accession Number: 0001628280-24-011505

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As an externally managed company, our day-to-day operations are managed by our Manager and our executive officers under the supervision of our board of directors and its committees. Our executive officers are senior investment professionals provided to us through our Manager pursuant to our management agreement with our Manager. Our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of ORIX Corporation USA (“ORIX USA”), a diversified financial company and a subsidiary of ORIX Corporation (“ORIX”) and participates in and is subject to ORIX USA’s cybersecurity program. Accordingly, we rely and Manager relies on ORIX USA and its cybersecurity risk management program to identify, assess and manage material risks to our business from cybersecurity threats. To date, Cybersecurity threats, including as a result of any previous Cybersecurity incidents, have not had a material impact nor, are they anticipated to significantly affect the Company, including our business strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats affect our business see, “Part I. Item IA. Risk Factors - the occurrence of cyber-incidents, or a deficiency in our Manager’s Cybersecurity or those of any of our third party service providers, could negatively affect our business by causing a disruption to our operations, a compromise of our confidential information or damage to our business relationships or reputation, all of which could negatively impact our business and results of operations in this Annual Report on Form 10-K. 29 Cybersecurity Governance Our board of directors is responsible for directing and overseeing our risk management. Our board of directors administers this oversight function directly, with support from its committees. In particular, the audit committee of our board of directors (the audit committee ) has the responsibility to consider and discuss our major financial risk exposures and the steps our Manager takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our audit committee also monitors compliance with legal and regulatory requirements, in addition to overseeing the performance of our internal audit function. Pursuant to the management agreement between us and our Manager, our Manager is responsible for identifying, assessing, and managing our material risks from cybersecurity threats. Our Manager relies on ORIX USA and ORIX USA information and security team, including the ORIX USA CIO, to provide us with a comprehensive cybersecurity risk management program. Periodically, at least annually, ORIX USA’s CIO and/or other members of the ORIX USA information and cybersecurity team will present to the LFT audit committee on various topics relating to ORIX USA’s technology risks, including ORIX USA’s cybersecurity program (including the results of cybersecurity tabletop exercises) , cybersecurity issues (including those relating to data protection, insider threats, regulatory changes and geopolitical cyber threat management) and risk management (including the results of periodic technology audits). Cybersecurity Risk Management and Strategy ORIX USA has a Chief Information Officer (the “ORIX USA CIO”), who leads an information and cybersecurity team (the “ORIX USA information and cybersecurity team”) responsible for managing information security at ORIX USA’s asset management business, including its Cybersecurity strategy and program, which encompasses annual employee training about Cybersecurity risks and new employee onboarding about ORIX USA’s security policies. The ORIX USA information and cybersecurity team’s responsibilities cover three main areas: (i) operations and engineering, (ii) threat detection and response, and (iii) governance. The team comprises members with diverse and relevant skill sets and expertise. The ORIX USA CIO leads the cybersecurity team with over twenty years of experience at ORIX USA and prior experience as a principal with a large management consulting firm. This team has developed a program aligned with the NIST CSF framework, emphasizing training and development, with team members holding industry-recognized certifications complemented by industry-recognized third-party providers for threat and incident management. ORIX USA employs a ‘defense in depth’ cybersecurity strategy and program based on the NIST Cybersecurity Framework, which includes multiple layers of security policies, protections, and controls designed to safeguard the confidentiality, integrity, and availability of infrastructure, network and information assets from malware and threats. This includes the deployment of firewalls, email protection technologies and web gateway, antivirus, and endpoint detection and response (“EDR”) systems. Our firewalls (intrusion detection systems and intrusion prevention systems) are designed to secure the organization’s perimeter complemented by an antivirus and EDR platform designed to detect malware and threats on systems. Web application firewalls are designed to protect external facing applications, while our email security gateway utilizes machine learning and multilayered detection techniques designed to filter malicious emails. Mobile device management software monitors security events via a Security Information and Event Management platform, managed by a detection and response provider. Mobile device management software is employed with the objective of protecting corporate email and data on mobile devices and is designed to prevent unauthorized data transfer. ORIX USA maintains a Cybersecurity incident response capability that includes detailed policies, plans and modular run books and maps designed around different types of Cyber Incidents. The plan and run books are tested annually through Cybersecurity tabletop simulations where incident response technical, and executive team members go through real-world scenarios focused on current Cyber threats. ORIX USA s Cybersecurity incident response plan provides for escalation of identified Cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of Cybersecurity threats and incidents, assessment of Cybersecurity risk profile or certain newly identified risks relevant to our company, and evaluation of the adequacy of our Cybersecurity program, including risk mitigation, compliance and controls. ORIX USA has established a notification decision framework to determine when the notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notification to different recipient groups, including our Manager and officers of LFT.

Company Information