ExchangeRight Income Fund 10-K Cybersecurity GRC - 2024-04-11

Page last updated on April 11, 2024

ExchangeRight Income Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-11 10:17:37 EDT.

Filings

10-K filed on 2024-04-11

ExchangeRight Income Fund filed an 10-K at 2024-04-11 10:17:37 EDT
Accession Number: 0000950170-24-043546

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. As a real estate company with hundreds of properties located across the United States, we guard against a multitude of cybersecurity risks that range from threats common to most industries, such as ransomware and denial-of-service, to threats from more advanced, persistent, or organized actors, including those acting on behalf of nation-states that target critical infrastructure sectors. Tenants, lenders, suppliers, subcontractors, and equity partners throughout the industry face similar cybersecurity risks, and a cybersecurity incident impacting us or a related entity could materially adversely affect operations, performance, or operating results. These and related risks make it imperative that we vigilantly tend to the social, physical, and logical aspects of our cybersecurity. Identifying, assessing, and mitigating cybersecurity and related risks are disciplines we integrate into our overall enterprise risk management ( ERM ) process. To the extent our ERM process identifies any relevant heightened cybersecurity related threat, we assign risk owners to develop mitigation plans, which we then track until full execution. The Company is committed to the ongoing development and implementation of stringent processes to oversee and manage the risks associated with third-party service providers. Our policy is to conduct thorough security assessments of key third-party service providers prior to engagement, and to ensure compliance with our cybersecurity standards. Monitoring includes quarterly security assessments and annual evaluation of security controls. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Notwithstanding our commitment to high standards for cybersecurity, we may not always be successful in preventing a potential cybersecurity incident that could have a material adverse effect. See Item 1A. Risk Factors for a discussion of cybersecurity risks. Governance Oversight by Key Principals The Key Principals are the sole managers of ExchangeRight, which is the sole member and manager of our Trustee, and, accordingly, act as the directors of the Company. The Key Principals oversee management s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. The Key Principals are acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Key Principals are committed to effective governance in managing risks associated with cybersecurity in order to uphold operational integrity and stakeholder confidence. Management s Role in Assessing and Managing Cybersecurity Risk The Chief Operating Officer of ExchangeRight (the COO ) oversees our information security team, which is responsible for our overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. The COO has information technology and program management experience, and has served many years overseeing our information security strategy. The information security team manages and continually enhances an enterprise security structure with the ongoing goal of mitigating cybersecurity risks to the extent feasible, while increasing our system resilience in an effort to minimize any potential business impact. Employees outside of our information security team also have a role in our cybersecurity defenses, and they are immersed in a corporate culture committed to security. The COO notifies the Key Principals of our cybersecurity and information security posture as appropriate and the Key Principals are apprised of cybersecurity incidents deemed to have any relevant business impact. The Key Principals, COO, our Chief Financial Officer, and our Executive Managing Principal maintain an open dialogue regarding emerging or potential cybersecurity risks. The COO keeps them appraised of updates on any significant developments in the cybersecurity domain, ensuring the Key Principals oversight is both proactive and responsive. 51 The COO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The COO oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the information security team is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Key Management Personnel As disclosed above, the primary responsibility for our overall information security strategy and directive resides with our COO, Louis Swingrover, with reliance on our information security team. With over 25 years of cumulative experience in the field, our information security team brings a wealth of expertise to our organization. The team includes individuals with backgrounds in Information Technology, Data Science, Enterprise Applications, and Business Development. Their in-depth knowledge and expertise are instrumental in developing and executing our cybersecurity strategies. Risks from Cybersecurity Incidents To date, we have not encountered a cybersecurity incident that has materially impaired our operations or financial condition.

Company Information