CaliberCos Inc. 10-K Cybersecurity GRC - 2024-04-15

Page last updated on April 16, 2024

CaliberCos Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-15 21:49:27 EDT.

Filings

10-K filed on 2024-04-15

CaliberCos Inc. filed an 10-K at 2024-04-15 21:49:27 EDT
Accession Number: 0001627282-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Companies utilizing technology are subject to threats to or failures of any or all aspects of their cybersecurity programs, collectively cybersecurity risks. We take a comprehensive approach to cybersecurity risk management and take securing customer, employee and other data entrusted to us seriously. We have established standards, policies, procedures and practices for assessment, identification, and effective management of material cybersecurity risks. We devote significant resources to implement and maintain security measures appropriate to regulatory requirements and customer expectations, and we will continue making appropriate investments to maintain the security of our data. We can provide no guarantee that our cybersecurity program, policies, and procedures will be completely effective in every instance, especially when it comes to the constantly evolving nature of cybersecurity threats. Our Risk Factors include further detail about the cybersecurity risks we face on an ongoing basis. We believe that risks from prior cybersecurity threats, including previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be cybersecurity incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. 27 Table of Contents Risk Management and Strategy Our approach for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management strategy and are based on commonly accepted frameworks established by the International Organization for Standardization ( ISO ), the National Institute of Standards and Technology ( NIST ), and other applicable industry standards. Our cybersecurity program focuses on the following key areas: Collaboration Cybersecurity risks are identified and addressed comprehensively in a cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information. We have controls and procedures in place to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and the Board in a timely manner. Risk Assessment We monitor and assess cybersecurity risks using the same cross-functional approach and since our cybersecurity program relies on certain third parties, these third parties are included in the assessment of cybersecurity risks. This approach drives alignment on the prioritization of initiatives to maintain our security controls. Technical Safeguards We deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated, adjusted and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Incident Response and Recovery Planning We maintain appropriate incident response and recovery plans and periodically perform tests to evaluate the effectiveness of these plans. Our incident response and recovery plans include guidance to our employees, management, and the Board on response to cybersecurity incidents. Third-Party Risk Management We have appropriate controls designed to identify and mitigate cybersecurity risks associated with the use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We require our providers to meet appropriate security requirements, and we investigate security incidents that have impacted our third-party providers, as appropriate. Education and Awareness Employees are regularly reminded of the importance of handling and protecting customer and Company data. Employees receive appropriate policies and annual privacy and security training to enhance awareness and reinforce desired behaviors. External Assessments Our cybersecurity policies, standards, processes and practices are regularly assessed by third-party business partners, consultants and external auditors. Vulnerability Assessments We use third-party consultants who specialize in identifying and validating potential cybersecurity vulnerabilities to test our systems, networks, and applications. These may include penetration testing exercises to simulate real-world attack scenarios. Expertise from Business Partners We utilize business partners who possess deep cybersecurity expertise. They contribute to risk assessments, help refine our security architecture, and provide valuable insights into industry best practices. 28 Table of Contents Governance Board Oversight Our Board, through the Audit Committee, has oversight of our cybersecurity risk management program. The Audit Committee receives regular updates from management on cybersecurity risks and progress of risk reduction initiatives, and from external auditor feedback and relevant business partners. Management s Role Our Chief Operating Officer, who serves as the Company s designated chief information security officer ( CISO ) and our Director of Technology have primary responsibility for managing the Company s cybersecurity program on an ongoing basis. Our Director of Technology has served in various roles in information technology and information security for over 15 year. He holds an undergraduate degree in Computer Science. Our Chief Operating Officer and designated CISO has served in various roles in information technology and information security for over 20 years, including serving as the Chief Information Security Officer and/or Chief Security Officer at other publicly traded technology companies.

Company Information