VINEBROOK HOMES TRUST, INC. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

VINEBROOK HOMES TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:18:25 EDT.

Filings

10-K filed on 2024-04-01

VINEBROOK HOMES TRUST, INC. filed an 10-K at 2024-04-01 16:18:25 EDT
Accession Number: 0001755755-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to risk management. As the historic external property manager of the VineBrook Portfolio and a current subsidiary that engages in property management functions and employes the majority of our employees, we maintain cybersecurity policies, standards, processes and practices at the Manager that cover our 24 office locations and over 550 employees. In general, we seek to address cybersecurity risks of the Company through a comprehensive, cross-functional approach that is focused on continually assessing our information systems to detect, prevent and mitigate cybersecurity threats and effectively respond to cybersecurity incidents when they occur. As one of the critical elements of our overall risk management, our cybersecurity program is focused on the following key areas: Governance: The Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the Audit Committee ), which interacts with our management and the Chief Technology Officer of the Manager that implement and oversee our cybersecurity program. Risk Assessment: No less frequently than annually, we complete an assessment to identify potential cybersecurity threats and vulnerabilities to better prioritize and mitigate our cybersecurity risk. The assessment includes, among other things, evaluating the nature, sensitivity and location of information the Company collects, processes and stores and the resiliency of the underlying technologies, the validity and effectiveness of the Company s security policies, controls and processes and the cybersecurity preparedness of the third-party vendors used by the Company. We complete internally managed weekly vulnerability testing. To supplement our internal assessment, we also engage third-party consultants to assess system configurations through configuration review and annual penetration testing. Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, multi-factor single-sign on authentication for all employees into line of business applications, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: We have established and maintains comprehensive business continuity plans that address potential impacts should the information or technology systems become compromised, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management: We maintain a comprehensive , risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including key vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. This includes robust reviews with our technology partners who provide the commercial off the shelf software applications we rely on from, among others, Yardi, SalesForce and UKG. Education and Awareness: We provide regular, mandatory training for our employees regarding cybersecurity threats as a means to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. In addition, we provide end user education on various cybersecurity related topics through a partnership with our human resources team. 69 Table of Contents We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address the Company s cybersecurity threats and incidents. These efforts include a wide range of activities, including third-party annual penetration testing, internally managed weekly vulnerability testing, third-party compliance testing and ongoing internal testing and creation and modification of policies and procedures. The results of these assessments are reported at least annually to the Audit Committee and the Board, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and ongoing testing. The Audit Committee oversees the Company s risk management policies, including the management of risks arising from cybersecurity threats. The Audit Committee receives presentations and reports on cybersecurity risks, which address a wide range of topics including annual assessments of internal and third-party policies, vulnerability assessments, technological trends and information security considerations arising with respect to the Company. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee discuss the Company s approach to cybersecurity risk management with our management, including the Chief Technology Officer of the Manager . The Chief Technology Officer of the Manager, in coordination with relevant senior management, which includes the Director of IT Operations and General Counsel of the Manager, work to conceive, implement, and monitor the effectiveness of a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any security incidents in accordance with the Company s business continuity plan. To ensure the effectiveness of these controls, our technology team continually monitors, hardens, and evolves systems security postures to model and mirror various security frameworks. The Chief Technology Officer of the Manager will promptly notify the General Counsel of the Manager, the General Counsel of the Adviser and senior management, including our President, Senior Vice President of Acquisition & Dispositions and Senior Vice President of Asset Management, of any cybersecurity events, with material cybersecurity events promptly communicated to the Audit Committee and publicly disclosed as deemed necessary. The Chief Technology Officer of the Manager has served in various roles in information technology and information security for over 30 years, including as one of the original architects of the business, operations, systems and information technology infrastructure in the institutional SFR homes sector with large investors in the VineBrook Companies since 2010. The Chief Technology Officer of the Manager holds an undergraduate degree in computer science/programming and a masters degree in business administration (MBA). In addition, he has been an educator, speaker, and published author on several technology related topics including cybersecurity, artificial intelligence, machine learning, geographic information systems, database architecture, and business intelligence. The Director of IT Operations of the Manager has over 25 years of experience in network designs, information technology operations management and cybersecurity and has completed various certifications from Microsoft, Fortinet, Qualys, Agile, Kaseya, Veeam, and CompTIA. In addition to our cybersecurity policies, standards, processes and practices, our Adviser maintains cybersecurity policies, standards, processes and practices that are based on recognized security frameworks such as the National Institute of Standards and Technology cybersecurity framework and the Azure Security Benchmark. Our Adviser deploys technical safeguards that are designed to protect our Adviser s information systems from cybersecurity threats and completes internal and external assessments to identify potential cybersecurity threats and vulnerabilities and to identify and oversee cybersecurity risks presented by third parties. The Adviser s Director of Information Technology, in coordination with relevant personnel of the Adviser, work to conceive, implement, and monitor the effectiveness of a program designed to protect their information systems from cybersecurity threats and to promptly respond to any security incidents. The Adviser s Director of Information Technology will promptly notify the Adviser s General Counsel and senior management, including our President, of any cybersecurity events, with material cybersecurity events promptly communicated to the Audit Committee and publicly disclosed as deemed necessary. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, the risk of cybersecurity threats could be significant if the cyber-attack disrupts the Company s critical operations, service or financial systems. See Item 1A. Risk Factors Risks Related to Our Business and the Single-Family Rental Housing Market We are highly dependent on information systems and systems failures could significantly disrupt our business and Security breaches and other disruptions could compromise our information systems and expose us to liability, which would cause our business and reputation to suffer. 70 Table of Contents

Company Information