BrightSpire Capital, Inc. 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

BrightSpire Capital, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:22:34 EST.

Filings

10-K filed on 2025-02-19

BrightSpire Capital, Inc. filed a 10-K at 2025-02-19 16:22:34 EST
Accession Number: 0001717547-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We consider our information technology (“IT”) and information systems to be valuable and vital assets and must be protected as such. We maintain a series of policies and supporting procedures designed to help ensure the security and confidentiality of our IT and information systems and to help ensure that they are properly protected from a variety of threats such as error, fraud, embezzlement, sabotage, terrorism, extortion, industrial espionage, service interruption, and natural disaster. Information is protected according to its sensitivity, value, and criticality with particular focus given to protecting confidential information, such as personal identifying information, unpublished financial results and other data deemed proprietary to us. Our cybersecurity network, including management, employees and service providers, prioritizes protecting and otherwise managing our information assets, and recognizes that information security is an important part of our business. Our cybersecurity risk management program is a key component of our broader enterprise risk management (“ERM”) infrastructure. Cybersecurity and information security, administered by our Head of IT and BrightSpire IT Partner (each, as defined below), is a key component of our broader ERM program, which includes diverse internal management, financial reporting, legal, compliance and risk management controls, policies and procedures primarily under the supervision of senior management. The results of our ERM layers of management control, risk control and compliance oversight and independent assurances are reviewed with senior management, our Audit Committee (independent directors, primarily responsible for oversight of our overall risk profile and risk management policies) and Board of Directors quarterly. We have focused on the following cybersecurity initiatives. - Responsible Parties : We engaged a global leader in end-to-end IT solutions (the “BrightSpire IT Partner”) to advance and maintain a comprehensive cybersecurity program. Our cybersecurity program is designed to leverage certain information security standards, such as those issued by the National Institute of Standards and Technology, and the International Organization for Standardization. We also have a dedicated senior employee to lead IT (“Head of IT”) oversight and functions, together with our Chief Financial Officer, General Counsel (together, the “Information Security Group”) and aforementioned BrightSpire IT Partner. Benefits provided by the Head of IT and BrightSpire IT Partner include a significant reduction in critical vulnerabilities, cost effective governance and risk services, current expertise/awareness to model, adapt and mitigate new threats, leverage of internal team resources to focus on business priorities, and addressing evolving regulatory requirements. Our response plans require prompt notification to the Information Security Group in the event of a significant cybersecurity incident and prompt briefings on further developments as appropriate. Other members of management and team leaders assist in incident response efforts as well. - Cybersecurity Risk Management (“CRM”) Program : The CRM program includes: (i) implementation of hardware and software infrastructure, primarily cloud based; (ii) “security first” approach to policies, processes and procedures (including general IT and security, information security, business continuity and incident response policies and plans); (iii) employee education, training and periodic testing and patching; and (iv) assessments of internal resources and diligence of external vendors and systems. Business continuity, disaster recovery and incident response procedures prioritize constant communication and follow a multi-step program including identification, preparation, implementation and resolution. - Cloud Services : We maintain our company data and communication services with a leading cloud-based service provider, security systems and protected environment. Employees working from home may only connect and conduct business activities through a virtual private network (VPN). - Security First Approach : Our cloud-based systems take a security first approach, including: (i) Perimeter Security (firewalls, antivirus, malware); (ii) Network Security (secure remote access, network patch management); (iii) Application Security (patch management, multi-factor authentication); (iv) Endpoint Security (email security/encryption, web filtering & URL defense, mobile device management); and (v) Data Security. Cybersecurity Systems Review. We regularly review our cybersecurity systems, policies and procedures through a series of channels, including but not limited to our Audit Committee and Board of Directors, the BrightSpire IT Partner, our internal Information Security Group, our internal financial auditor and outside counsel. - Our Audit Committee and Board of Directors play an active role in reviewing our cybersecurity initiatives. The BrightSpire IT Partner provides our Board an annual review of our cybersecurity governance and risk management program, security metrics relevant to the period in review and provides the Audit Committee and Board updates regarding the cybersecurity threat landscape. In coordination with the Information Security Group, the General Counsel provides reports of significant cybersecurity incidents and cybersecurity threats (if any) at each quarterly meeting of the Audit Committee and Board or ad hoc as appropriate. - The BrightSpire IT Partner has established itself as a provider of managed services and technology solutions for over two decades, providing 24/7 oversight and services, including continuous testing and vulnerability scanning. The BrightSpire IT Partner also performs annual due diligence of key vendors on a rotating basis (including System and Organization Controls (SOC) report reviews, or alternatively solicits detailed questionnaires to evaluate such vendors cybersecurity preparedness and protections). - Our Head of IT has over two decades of experience in IT and cybersecurity work and developed and implemented our cybersecurity program with the BrightSpire IT Partner. Together with our Head of IT, the Information Security Group considers current cybersecurity trends and threats, including through discussions with the BrightSpire IT Partner, outside cybersecurity counsel, our independent financial auditor and internal auditor. The Information Security Group undertakes table-top business disruption, disaster recovery and related response strategies and plans on a periodic basis and seeks to review and update applicable policies and procedures at least annually. No Material Incidents . As of December 31, 2024, we have not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. Since inception in January 2018, we are not aware of any cybersecurity or information security incidents that have materially affected us to date. We have not incurred any expenses due to material information security incident penalties or settlements. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents. Refer to the risk factor “We are highly dependent on information systems and third-parties, and system failures or cybersecurity incidents incurred by us or the third-parties that we rely on could significantly disrupt our ability to operate our business.” in the section entitled “Risk Factors-Risks Related to Our Company and Our Structure” for more information regarding our cybersecurity risks. Cyber Liability Insurance . Through consultant driven data, analytics and peer benchmarking, we secured and maintain specific coverage to mitigate certain losses associated with cyber-attacks and other information security incidents, addressing both first-party and third-party losses from incident response, including for example, cyber extortion, data loss, business interruption, contingent business interruption, regulatory penalties, media liability, social engineering coverage, system failures and bricking/hardware replacement.

Company Information