BCTC V ASSIGNOR CORP 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

BCTC V ASSIGNOR CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 11:05:09 EDT.

Filings

10-K filed on 2024-03-22

BCTC V ASSIGNOR CORP filed an 10-K at 2024-03-22 11:05:09 EDT
Accession Number: 0001410578-24-000277

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Disclosure As an externally managed company, our day - to - day operations are managed by BFIM, under the supervision and with the participation of the Principal Executive Officer and Principal Accounting and Financial Officer. Our business is highly dependent on the communications and information systems of BFIM, its affiliates and third - party service providers. BFIM is an affiliate of ORIX Corporation USA (“ORIX USA”), a diversified financial company and a subsidiary of ORIX Corporation (“ORIX”) and participates in and is subject to ORIX USA’s cybersecurity program. Accordingly, we rely and BFIM relies on ORIX USA and its cybersecurity risk management program to identify, assess and manage material risks to our business from cybersecurity threats. To date, Cybersecurity threats, including any previous Cybersecurity incidents, have not had a material impact nor, are they anticipated to significantly affect the Assignor Limited Partner, including our business strategy, results of operations or financial condition. Cybersecurity Governance The Assignor Limited Partner, under the supervision and with the participation of the Principal Executive Officer and Principal Accounting and Financial Officer, is responsible for directing and overseeing our risk management. The Principal Executive Officer and Principal Accounting and Financial Officer administers this oversight function directly. In particular, the Principal Executive Officer and Principal Accounting and Financial Officer has the responsibility to consider and discuss our major financial risk exposures and the steps BFIM takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. The Principal Executive Officer and Principal Accounting and Financial Officer also monitors compliance with legal and regulatory requirements. BFIM is responsible for identifying, assessing, and managing the Assignor Limited Partner’s material risks from cybersecurity threats. BFIM relies on ORIX USA and the ORIX USA information and security team, including the ORIX USA CIO, to provide us with a comprehensive cybersecurity risk management program. Periodically, at least annually, ORIX USA’s CIO and/or other members of the ORIX USA information and cybersecurity team will present to BFIM on various topics relating to ORIX USA’s technology risks, including ORIX USA’s cybersecurity program (including the results of cybersecurity tabletop exercises) , cybersecurity issues (including those relating to data protection, insider threats, regulatory changes and geopolitical cyber threat management) and risk management (including the results of periodic technology audits). 4 Table of Contents Cybersecurity Risk Management and Strategy ORIX USA has a Chief Information Officer (the “ORIX USA CIO”), who leads an information and cybersecurity team (the “ORIX USA information and cybersecurity team”) responsible for managing information security at ORIX USA’s asset management business, including its Cybersecurity strategy and program, which encompasses annual employee training about Cybersecurity risks and new employee onboarding about ORIX USA’s security policies. The ORIX USA information and cybersecurity team’s responsibilities cover three main areas: (i) operations and engineering, (ii) threat detection and response, and (iii) governance. The team comprises members with diverse and relevant skill sets and expertise. The ORIX USA CIO leads the cybersecurity team with over twenty years of experience at ORIX USA and prior experience as a principal with a large management consulting firm. This team has developed a program aligned with the NIST CSF framework, emphasizing training and development, with team members holding industry - recognized certifications complemented by industry - recognized third - party providers for threat and incident management. ORIX USA employs a ‘defense in depth’ cybersecurity strategy and program based on the NIST Cybersecurity Framework, which includes multiple layers of security policies, protections, and controls designed to safeguard the confidentiality, integrity, and availability of infrastructure, network and information assets from malware and threats. This includes the deployment of firewalls, email protection technologies and web gateway, antivirus, and endpoint detection and response (“EDR”) systems. Our firewalls (intrusion detection systems and intrusion prevention systems) are designed to secure the organization’s perimeter complemented by an antivirus and EDR platform designed to detect malware and threats on systems. Web application firewalls are designed to protect external facing applications, while our email security gateway utilizes machine learning and multilayered detection techniques designed to filter malicious emails. Mobile device management software monitors security events via a Security Information and Event Management platform, managed by a detection and response provider. Mobile device management software is employed with the objective of protecting corporate email and data on mobile devices and is designed to prevent unauthorized data transfer. ORIX USA maintains a Cybersecurity incident response capability that includes detailed policies, plans and modular run books and maps designed around different types of Cyber Incidents. The plan and run books are tested annually through Cybersecurity tabletop simulations where incident response technical, and executive team members go through real - world scenarios focused on current Cyber threats. ORIX USA’s Cybersecurity incident response plan provides for escalation of identified Cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of Cybersecurity threats and incidents, assessment of Cybersecurity risk profile or certain newly identified risks relevant to our company, and evaluation of the adequacy of our Cybersecurity program, including risk mitigation, compliance and controls. ORIX USA has established a notification decision framework to determine when the notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notification to different recipient groups, including BFIM and the Principal Executive Officer and Principal Accounting and Financial Officer of the Assignor Limited Partner.

Company Information