NexPoint Real Estate Finance, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

NexPoint Real Estate Finance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 20:42:16 EDT.

Filings

10-K filed on 2024-03-21

NexPoint Real Estate Finance, Inc. filed an 10-K at 2024-03-21 20:42:16 EDT
Accession Number: 0001786248-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to risk management. Our Manager maintains cybersecurity policies, standards, processes and practices that are based on recognized security frameworks such as the National Institute of Standards and Technology cybersecurity framework (the NIST CF ) and the Azure Security Benchmark. In general, our Manager seeks to address cybersecurity risks of the Company through a comprehensive, cross-functional approach that is focused on continually assessing the Company s information systems to detect, prevent and mitigate cybersecurity threats and effectively respond to cybersecurity incidents when they occur. As one of the critical elements of the Company s overall risk management, our Manager s cybersecurity program is focused on the following key areas: Governance: The Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which interacts with our Manager s Director of Information Technology and Chief Compliance Officer and other members of management of our Manager that implement and oversee our Manager s cybersecurity program. Risk Assessment: No less frequently than annually, our Manager completes an assessment to identify potential cybersecurity threats and vulnerabilities to better prioritize and mitigate the Company s cybersecurity risk. The assessment includes, among other things, evaluating the nature, sensitivity and location of information the Company collects, processes 51 Table of Contents and stores and the resiliency of the underlying technologies, the validity and effectiveness of the Company s security policies, controls and processes and the cybersecurity preparedness of the third-party vendors used by the Company and our Manager. To supplement our Manager s internal assessment, our Manager also periodically engages third-party consultants to assess system configurations through configuration review and penetration testing. Technical Safeguards: Our Manager deploys technical safeguards that are designed to protect the Company s and our Manager s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: Our Manager has established and maintains comprehensive business continuity plans that address potential impacts should the information or technology systems become compromised, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management: Our Manager maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including key vendors, service providers and other external users of the Company s and the Manager s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: Our Manager provides regular, mandatory training for its employees regarding cybersecurity threats as a means to equip its employees with effective tools to address cybersecurity threats, and to communicate our Manager s evolving information security policies, standards, processes and practices. Our Manager engages in the periodic assessment and testing of our Manager s policies, standards, processes and practices that are designed to address the Company s cybersecurity threats and incidents. These efforts include a wide range of activities, including annual penetration and third-party compliance testing and ongoing internal testing and creation and modification of polices and procedures. The results of the annual assessments are reported to the Audit Committee and the Board, and our Manager adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and ongoing testing. The Audit Committee oversees the Company s risk management policies, including the management of risks arising from cybersecurity threats. The Audit Committee receives presentations and reports on cybersecurity risks, which address a wide range of topics including annual assessments of internal and third-party policies, vulnerability assessments, technological trends and information security considerations arising with respect to the Company and our Manager. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee discuss the Company s approach to cybersecurity risk management with our Manager, including the Manager s Director of Information Technology. The Manager s Director of Information Technology, in coordination with relevant senior management and personnel of the Manager, which includes our Manager s Chief Financial Officer, Senior Infrastructure Engineer, and Chief Compliance Officer, work to conceive, implement, and monitor the effectiveness of a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any security incidents in accordance with the Company s business continuity plan. To ensure the effectiveness of these controls, the Manager s technology team continually monitors, hardens, and evolves systems security postures to model and mirror various security frameworks such as NIST CSF and Azure Security Benchmark. The Manager s Director of Information Technology will promptly notify our General Counsel of any cybersecurity events, with material cybersecurity events promptly communicated to the Audit Committee and publicly disclosed as deemed necessary. The Manager s Director of Information Technology has served in various roles in information technology and information security for 25 years, including serving as Global Technology Manager at a multi-national publicly traded broker-dealer, and 15 years as the Director of Information Technology at a privately held financial services firm. The Manager s Director of Information Technology holds an undergraduate degree in biochemistry and has attained numerous information technology certifications over the years including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified network Professional (CCNP). The Manager s Senior Infrastructure Engineer has over 20 years industry experience, holds an undergraduate degree in radiology, and has completed various Microsoft related information technology certifications. Combined, our Manager s information technology team has over 50 years of experience covering all major aspects of network architecture and management. 52 Table of Contents Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, the risk of cybersecurity threats could be significant if the cyber-attack disrupts the Company s critical operations, service or financial systems. See Item 1A. Risk Factors General Risks We are highly dependent on information technology and security breaches or systems failures could significantly disrupt our business, which may, in turn, negatively affect the market price of our securities and our ability to pay dividends.

Company Information