Woodbridge Liquidation Trust 10-K Cybersecurity GRC - 2024-09-27

Page last updated on September 27, 2024

Woodbridge Liquidation Trust reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-27 17:13:40 EDT.

Filings

10-K filed on 2024-09-27

Woodbridge Liquidation Trust filed a 10-K at 2024-09-27 17:13:40 EDT
Accession Number: 0001140361-24-042225

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains IT general controls to identify, assess, monitor and control current and future potential risks, which include cybersecurity risks. The Company’s cybersecurity program is generally designed to prevent, identify, and respond to security incidents and threats in a timely manner to minimize the loss or compromise of sensitive information and to ensure regulatory compliance as applicable. The program is reasonably designed to protect our information, and that of our Interestholders, from unauthorized access and is based on recognized frameworks established by the National Institute of Standards and Technology. The Company engages consultants, or other third parties, in connection with our risk assessment processes. These service providers assist us in designing and implementing cybersecurity policies and procedures, as well as to monitor and test our safeguards. The Company has a risk management program designed to assess risks associated with third-party providers based on the services they provide and the data they have access to. Our process for assessment of risks includes evaluation of our processes and data types, classification of data types by risks related to privacy, confidentiality and availability, and identification of internal parties and external vendors with access to these risks. Risk management includes access administration, change management, and data center operations considerations practiced internally and assessed for appropriateness in our vendor review process, which includes review of the System and Organization Controls (“SOC”) reports and IT audit testing for requirements which are not covered by SOC reports. In addition to quarterly reporting to the Cybersecurity Committee, the Company has protocols by which certain security incidents are escalated within the Company and, where appropriate, reported in a timely manner to both the Cybersecurity and Audit Committees. All employees with network access receive cybersecurity awareness training. The Company maintains a cyber insurance policy with a one-million-dollar aggregate limit. The coverage includes network security and privacy liability, regulatory investigations, fines and penalties, media liability, breach management expenses, business interruption, contingent business interruption, digital asset destruction, data retrieval and system restoration, system failure coverage, social engineering and cyber-crime coverage, reputational loss coverage, cyber extortion and ransomware coverage, breach response and remediation expenses and court attendance costs. As of the date of this filing, we have not encountered cybersecurity challenges that have materially impaired our operations or financial standing and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our operations or financial standing. However, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our operations or financial standing. For additional information regarding risks from cybersecurity threats, please refer to “Item 1A “Risk Factors,” in this annual report on Form 10-K. The Board’s Oversight of Cybersecurity Risk The Supervisory Board has delegated governance and oversite of cybersecurity matters to the Cybersecurity Committee. The sole member of the Cybersecurity Committee is M. Freddie Reiss. The Cybersecurity Committee’s responsibilities include reviewing and discussing with management the Company’s privacy and data security, including cybersecurity, risk exposures, policies and practices, and the steps management has taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations, and reputation. Part I Item 1C. Cybersecurity (Continued) The Cybersecurity Committee will receive prompt updates from officers regarding material cybersecurity incidents that come to management’s attention. The Cybersecurity Committee will receive quarterly updates which address relevant cybersecurity issues and risks, if any. These reports are provided by the officers of the Wind-Down Entity, which include our Chief Executive Officer and Chief Operating Officer. Management’s Involvement in Cybersecurity Risk Oversight Officers of the Wind-Down Entity are responsible for establishing the policies, standards, and requirements for the security of computing and network environments, protecting against the risk of unauthorized access by monitoring potential security threats, and overseeing the execution of corrective actions, including third party vendor compliance. The Company has engaged a third-party IT provider to manage our internal network and provide cybersecurity incident prevention and detection. This IT provider is an audit certified vendor (CISA) that evaluates and advises management on cybersecurity issues. The Company’s officers report significant cybersecurity risks and incidents directly to the Cybersecurity Committee and Audit Committee on a quarterly basis or more frequently if warranted under the circumstances. SEC Reporting If a cyber incident is identified, the Company will conduct an objective analysis of both quantitative and qualitative factors to determine if the cyber incident is material. An incident is considered material if there’s a substantial likelihood that a reasonable Interestholder would consider it important. If a cyber incident is identified, the Company will assess materiality on a timely basis. If the incident is determined material, the company will file a Form 8-K within four business days of determining the event was material. The disclosure would include the material aspects of the incident’s nature, scope, and timing as well as the material impact on the Company. Financial reports (10-Q and 10-K) will include disclosure of cybersecurity risks, governance, and any material incidents. The cybersecurity disclosures are reviewed and approved by the Cybersecurity Committee, Audit Committee, the officers of the Wind-Down Entity, and the Liquidation Trustee as part of the overall approval of all applicable 8-K, 10-Q and 10-K filings. Part I
Item 1C. Cybersecurity (Continued) The Cybersecurity Committee will receive prompt updates from officers regarding material cybersecurity incidents that come to management’s attention. The Cybersecurity Committee will receive quarterly updates which address relevant cybersecurity issues and risks, if any. These reports are provided by the officers of the Wind-Down Entity, which include our Chief Executive Officer and Chief Operating Officer. Management’s Involvement in Cybersecurity Risk Oversight Officers of the Wind-Down Entity are responsible for establishing the policies, standards, and requirements for the security of computing and network environments, protecting against the risk of unauthorized access by monitoring potential security threats, and overseeing the execution of corrective actions, including third party vendor compliance. The Company has engaged a third-party IT provider to manage our internal network and provide cybersecurity incident prevention and detection. This IT provider is an audit certified vendor (CISA) that evaluates and advises management on cybersecurity issues. The Company’s officers report significant cybersecurity risks and incidents directly to the Cybersecurity Committee and Audit Committee on a quarterly basis or more frequently if warranted under the circumstances. SEC Reporting If a cyber incident is identified, the Company will conduct an objective analysis of both quantitative and qualitative factors to determine if the cyber incident is material. An incident is considered material if there’s a substantial likelihood that a reasonable Interestholder would consider it important. If a cyber incident is identified, the Company will assess materiality on a timely basis. If the incident is determined material, the company will file a Form 8-K within four business days of determining the event was material. The disclosure would include the material aspects of the incident’s nature, scope, and timing as well as the material impact on the Company. Financial reports (10-Q and 10-K) will include disclosure of cybersecurity risks, governance, and any material incidents. The cybersecurity disclosures are reviewed and approved by the Cybersecurity Committee, Audit Committee, the officers of the Wind-Down Entity, and the Liquidation Trustee as part of the overall approval of all applicable 8-K, 10-Q and 10-K filings. Part I

Company Information