Cottonwood Communities, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Cottonwood Communities, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:10:52 EDT.

Filings

10-K filed on 2024-03-28

Cottonwood Communities, Inc. filed an 10-K at 2024-03-28 17:10:52 EDT
Accession Number: 0001692951-24-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Under the oversight of our Executive Security Council, which is chaired by our Senior Vice President of Technology (Certified Information Systems Security Professional), and is also comprised of our Chief Legal Officer, Chief Operating Officer, Chief Accounting Officer and Treasurer and Chief Financial Officer, we have developed and implemented a cybersecurity risk management governance, risk, and compliance ( GRC ) program that applies to us as well as our advisor and its affiliates. The GRC program is used to identify, assess, and mitigate findings and risks to our operations from cybersecurity threats. Our GRC program employs qualitative and quantitative assessments of the cybersecurity risk landscape impacting our operations, as identified by our Information Technology ( IT ) and Security team to determine likelihood and potential impact. The analysis is evaluated by our Executive Security Council, and subject to the oversight of our board of directors to assess and prioritize potential risk to our information security. We consider cybersecurity, along with other top risks, within our enterprise risk management and GRC framework. 39 Table of Contents We have established a multilayer cyber threat defense program that enables us to identify, protect, detect, respond, and recover from cyber threat findings, taking appropriate action to prevent these threats from turning into risk. Part of this security program is an incident response plan, the goal of which is to provide a timely response, mitigate any damage, restore services, preserve evidence, evaluate risk impact, communicate effectively to all stakeholders, and ultimately reduce the likelihood of an incident recurrence through proper containment and retrospective. We engage third party consultants to conduct cybersecurity assessments and help mature the information security program. We regularly review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the board of directors, and we may adjust our cybersecurity program and practices as necessary based on the information provided by these assessments, audits and reviews. We review and test our information security systems, including regular penetration tests of our network. We also use third-party systems to monitor our information security continually. For any of our critical hosted applications we require the vendor to maintain a System and Organization Controls ( SOC ) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, or the report is qualified, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third-party providers is part of our overall cybersecurity risk management framework. We regularly evaluate our overall security risk posture to ensure appropriate security controls are in place to ensure confidentiality, integrity, and availability of the firms processing environment, including our business strategy, results of operations or financial condition, to ensure that we have an appropriate security program in place in order to manage materiality. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For additional information, see Item 1A. Risk Factors Breaches of our data security could materially harm us, including our business, financial performance and reputation. Governance Our audit committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. The Executive Security Council periodically reports to our audit committee as well as our full board of directors, as appropriate, on cybersecurity matters. Such reporting includes updates on our cybersecurity program, the external threat environment, and programs in place to address and mitigate the risks associated with the evolving cybersecurity threat landscape. These reports also include updates on our preparedness, prevention, detection, responsiveness, and recovery with respect to any cybersecurity incidents. Material cybersecurity events, if any, are escalated to our full board of directors on an ongoing basis as necessary. Our Executive Security Council governs our overall cybersecurity function and is responsible for developing and implementing our information risk program and managing our response to threats in collaboration with our IT and Security team, subject to oversight by our board of directors. Our Executive Security Council meets regularly regarding the risks of any cybersecurity incidents which are reported pursuant to (i) criteria set forth in our information risk program, (ii) notification criteria set forth in our contracts with third-party service providers and (iii) reports prepared by consultants, auditors, and other third parties retained by us, if necessary, to investigate cybersecurity incidents. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT and Security team, including the third-party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. The Company s Senior Vice President of Technology s relevant cybersecurity expertise includes Certified Information Systems Security Professional designation (CISSP), ISO 27001 as well as over 20 years of experience as a technology and security professional.

Company Information