Sachem Capital Corp. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Sachem Capital Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 09:00:46 EDT.

Filings

10-K filed on 2024-04-01

Sachem Capital Corp. filed an 10-K at 2024-04-01 09:00:46 EDT
Accession Number: 0001410578-24-000381

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The underlying processes and controls of our program incorporate recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). The program is subject to annual risk assessment by a third-party consultant to ensure compliance with the standards of the NIST CSF and to identify, quantify and categorize material cyber risks. In addition, with the assistance of the consultant we have developed a risk mitigation plan to address cyber risks, and where necessary, remediate potential vulnerabilities. In addition, under the program we employ additional key practices including, but not limited to, maintenance of an information technology ( IT ) assets inventory, periodic vulnerability testing, identity access management controls including restricted access of privileged accounts, physical security measures at our offices, maintenance of firewalls and anti-malware tools, ongoing cybersecurity user awareness training, industry-standard encryption protocols, and critical data backups. Our cybersecurity partners, including consultants, and other third-party service providers are a key part of our cybersecurity risk management strategy and infrastructure. We partner with industry recognized cybersecurity providers leveraging third-party technology and expertise and engage with these partners to maintain the performance and effectiveness of IT assets, data, and services. The cybersecurity partners provide services including, but not limited to, systems inventory management, vulnerability testing, user management, capacity monitoring, network protection, remote access management, data backups management, infrastructure maintenance, and cyber risk advisory, assessment and remediation. We also maintain a disaster recovery plan to help us quickly recover from an incident during a disruption and help mitigate the impact of certain cybersecurity risks. Governance Our management team, including the IT Manager, in conjunction with third-party IT and cybersecurity service providers is responsible for oversight and administration of our cyber risk management program. Our management team has prior experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes directly or via selection of strategic third-party partners, and relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged by us for strategic cyber risk management, advisory and decision making. We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cyber incident. This includes a review of vendors during the selection/onboarding process, inclusion of formal service level agreements (SLAs) including requirements for uptime where applicable, and a periodic review of contracts. 44 Table of Contents We are in the process of formalizing the Audit Committee s responsibilities to oversee our cybersecurity risk exposure and the steps taken by management to monitor and mitigate cybersecurity risks. Once these responsibilities have been established, the cybersecurity stakeholders, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk advisory services will brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of our cyber risk management program, the emerging threat landscape, and new cyber risks on at least an annual basis. This will include updates on our processes to prevent, detect, and mitigate cyber incidents. In addition, material cybersecurity risks and/or events, should they occur, will be reviewed by the Board, at least annually, as part of our corporate risk oversight processes. We face risk from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of a cyber incident is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of our business. However, cyber incidents have not been identified to date, therefore having no material adverse effect on our business, financial condition, results of operations, or cash flows. We understand potential vulnerabilities to known or unknown threats remain and have implemented the cyber risk management program described above to stay up to date on attacks against our IT assets, data, and services, and to prevent their occurrence and recurrence where practicable. Further, there is increasing regulation regarding responses to cyber incidents, including reporting to regulators, investors, and additional stakeholders, which could subject us to additional liability and reputational harm in the event of the occurrence of a reportable cyber incident. In response to such risks, we have implemented the aforementioned initiatives. See Item 1A. Risk Factors for more information on our cybersecurity risks.

Company Information