Cantor Fitzgerald Income Trust, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Cantor Fitzgerald Income Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 20:57:58 EDT.

Filings

10-K filed on 2024-03-28

Cantor Fitzgerald Income Trust, Inc. filed an 10-K at 2024-03-28 20:57:58 EDT
Accession Number: 0000950170-24-038325

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. As an externally managed company, our business is highly dependent on the communications and information systems of our Advisor, its affiliates and third-party service providers. Our Advisor is an indirect subsidiary of Cantor, a diversified organization specializing in financial services and real estate for institutional customers operating in the global financial and commercial real estate markets. Cantor has a global cybersecurity process applicable to all subsidiaries and business lines, including our business. Risk Management and Strategy Cantor s global cybersecurity processes form the comprehensive framework for planning, performing, managing, assessing, and improving our security controls as they relate to cybersecurity, and form part of our overall risk management system. Cantor aims to conduct its cybersecurity program in accordance with current recognized global policies and standards for cybersecurity and information technology. These processes are managed by Cantor s cybersecurity team and supported by its business continuity teams. Cantor conducts periodic internal and external vulnerability audits and assessments and penetration testing and provides periodic cybersecurity training to employees. These measures include regular phishing simulations, annual general cybersecurity awareness training and data protection training. Cantor participates in industry-specific cybersecurity roundtables and professional groups to ensure it remains abreast of industry-wide cybersecurity developments and best practices and thereby enhances our threat identification processes and responses as necessary. Additionally, when engaging with and utilizing third-party vendors and partners for its business, Cantor conducts various oversight assessments, including due diligence and periodic monitoring to identify potential cybersecurity threats associated with conducting business with such vendors and partners and to ensure any corresponding risk exposure aligns with Cantor s business requirements and risk tolerances. Cantor maintains an incident reporting and escalation process in the event of any observed, detected, or suspected events that it believes may qualify as a cybersecurity incident. Risks are identified based on a four-tier system, and tiers are assigned based on the service impact, user impact, financial impact, and security impact that a threat may pose. Cantor s processes include steps to recover our systems and information through established and tested system recovery plans and business continuity plans, each based on the appropriate response associated with the corresponding tier of the identified threat. Cantor s incident response process includes steps to notify key incident management team members who are responsible for communicating with regulatory and other governmental authorities about cybersecurity events as applicable and as required by law. Cantor determines the materiality of such incidents based upon a number of factors including if the incident had or may have a material impact on the respective business strategy, results of operations, or financial condition. This process involves a review of the nature of the incident by Cantor s cybersecurity team as well as other members of management and employees with specialized technological or financial knowledge, as applicable. In the event of a material breach, 51 Cantor has a process for escalation to appropriate members of its senior management, who would, if appropriate, communicate with our management and board of directors or audit committee. These groups would also collaborate in determining the appropriate response to such events and disclosure of any material breach. Cantor engages third parties from time to time that assist it in the identification, assessment, and management of cybersecurity risks. Cantor also engages cybersecurity specialists to complete assessments of its cybersecurity processes, program and practices, including data protection practices, as well as to conduct targeted attack simulations. The feedback from these assessments and guidance from external specialists informs Cantor s overall risk management system and the development and improvement of our processes to mitigate cybersecurity risks throughout the Company. Governance and Management Our board of directors has responsibility for the direction and oversight of our risk management, which would include cybersecurity risk management. Our board of directors administers this oversight function directly, with support from its audit committee (the audit committee ). In particular, the audit committee considers and discusses our major risk exposures and the steps our Advisor takes, or is required to take, to monitor and control these exposures. Our audit committee also monitors compliance with legal and regulatory requirements, in addition to overseeing the performance of our internal audit function. The audit committee will engage in regular discussions with management regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks, which will include those that result from material cybersecurity threats as necessary. As an externally managed company, we rely on Cantor s information systems in connection with our day-to-day operations. Consequently, we also rely on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by Cantor. As of the date of this Annual Report on Form 10-K, we have not encountered risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations or financial position. For more information about the cybersecurity risks we face, see the risk factor entitled Malicious cyber-attacks and other adverse events affecting the Company s operational systems or infrastructure, or those of third parties, could disrupt the Company s business, result in the disclosure of confidential information, damage the Company s reputation and cause losses or regulatory penalties in Item 1A- Risk Factors.

Company Information