CIM Opportunity Zone Fund, L.P. 10-K Cybersecurity GRC - 2024-04-19

Page last updated on April 22, 2024

CIM Opportunity Zone Fund, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-19 20:16:13 EDT.

Filings

10-K filed on 2024-04-19

CIM Opportunity Zone Fund, L.P. filed an 10-K at 2024-04-19 20:16:13 EDT
Accession Number: 0001765107-24-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Fund s Cybersecurity Risk Management Approach The Fund utilizes and relies on CIM for its IT and IT administration. CIM s cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. CIM s cybersecurity risk management policies and procedures include, among other things: enterprise-wide hardware and software management and security controls employee training security assessments penetration testing security audits and ongoing risk assessments due diligence on, and monitoring and oversight of, key third-party providers vulnerability management and management oversight to assess, identify and manage material risks from cybersecurity threats. CIM s controls leverage the National Institute of Standards and Technology Cyber Security Framework. CIM also utilizes industry and government associations, the results from regular internal and third-party audits and other similar resources to inform its cybersecurity processes and to allocate resources. In addition, all CIM employees receive mandatory training on cybersecurity matters at such employee s new hire and annually thereafter, periodic training and information updates that address new cybersecurity threats and trends, and quarterly phishing and social engineering testing to evaluate the effectiveness of the cybersecurity training program and raise employee awareness of cybersecurity threats. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For further discussion of cybersecurity risks, see Item 1A. Risk Factors Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, and or damage to our business relationships, all of which could negatively impact the Fund. Management Oversight of Cybersecurity Risk Management CIM s internal processes require escalation of material cybersecurity risks to its management and its Cybersecurity Committee (the Committee ) for evaluation. The Committee consists of CIM s Chief Technology Officer (the CTO ), CIM s Chief Compliance Officer (the CCO ) as well as representatives from CIM s operations, compliance and accounting departments. The Committee is responsible for CIM s cybersecurity policy and overseeing the activities of CIM s cybersecurity practices, including assessing CIM s risks and controls. The Committee is chaired by the CTO and has more than 30 years experience in the field of information technology, cybersecurity and adjacent roles, including serving on cybersecurity advisory councils. In addition, members of the Committee have relevant industry experience in enterprise risk management and compliance. The team responsible for developing and implementing our cybersecurity program collectively holds an MS in Cybersecurity and Information Assurance and has multiple cybersecurity certifications, including CRISC, CISM, CISA, NCSP-NIST, CISSP, CASP+, CySA+ and Security+. The Committee has established a Cybersecurity Subcommittee (the Subcommittee ). The Subcommittee consists of, among other things, the CCO, the CTO, the chief financial officers of CIM companies that are subject to the SEC s cybersecurity rule adopted in 2023 and are managed by CIM. The Subcommittee is tasked with assisting CIM-managed companies that are subject to the SEC s cybersecurity rule adopted in 2023, including us, in complying with such cybersecurity rule. The Committee and Subcommittee each conduct both regular quarterly and as-needed meetings throughout the year during which members of the CIM s IT Department provide updates and report on meaningful cybersecurity risks, threats, incidents and vulnerabilities in accordance with the Committee s and the Subcommittee s respective reporting frameworks, as well as related priorities, mitigation and remediation activities, financial and employee resource levels, regulatory compliance, technology trends and third-party provider risks. To help inform this reporting framework, CIM maintains incident response plans and other policies and procedures designed to respond to, mitigate and remediate cybersecurity incidents based on the potential impact to CIM s business, IT systems, network or data, including data held by third parties, or to the IT or other critical services provided by third-party vendors and service providers. CIM s personnel responsible for cybersecurity policy comprises of individuals with either formal education and degrees in IT or cybersecurity, or with experience working in IT and cybersecurity, including relevant industry experience in security related industries. 44 Table of Contents We believe that the processes, policies and procedures established by the Committee and the Subcommittee provide guidance for consistent and effective incident handling and response and set standards for internal notifications and escalations, as well as external notification considerations with respect to a cybersecurity event or incident requiring disclosure or notification in accordance with applicable laws. Pursuant to CIM s cybersecurity policy, management of the Fund will be promptly notified of any material cybersecurity incident required to be disclosed under Item 105 of Regulation S-K and shall oversee the Fund s response to such matter.

Company Information