Greystone Housing Impact Investors LP 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Greystone Housing Impact Investors LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 08:46:05 EST.

Filings

10-K filed on 2025-02-20

Greystone Housing Impact Investors LP filed a 10-K at 2025-02-20 08:46:05 EST
Accession Number: 0000950170-25-023761

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Partnership management considers risks from cybersecurity threats as a component of its entity-wide risk assessment that includes various processes and procedures to assess, identify, and manage material risks. The Partnership uses a variety of information technology solutions in the operation of its business, all of which are maintained by reputable third-party providers, including an information technology managed services system provider that is an affiliate of Greystone. Management regularly communicates with the Greystone affiliate regarding the information technology managed services system including ongoing threats or cybersecurity incidents, monitoring of third-party vendors used by the Greystone affiliate, and review of System and Organization Controls assurance reports. Risk management processes in place at the Greystone affiliate include an annual cybersecurity risk assessment, third-party network security assessments, continuous employee training, regular internal information technology audits, and ongoing threat monitoring. Management regularly reviews material technology services used, the population of technology service providers, and material and/or sensitive financial and operational data, and then assesses the material risks from cybersecurity threats associated with these items. Management has developed processes, procedures, and internal controls to address materials risks focusing on application security (levels of access, passwords, etc.), system change controls, and operations processing. The design and operating effectiveness of internal controls are subject to testing annually by the Partnership’s internal audit function. Management has also developed procedures to assess the operations and internal controls of material service providers through questionnaires, inquiries, reviews of available policy statements, and evaluation of System and Organization Controls assurance reports, which are assessed in the aggregate to determine if the service providers have adequately addressed the risks of cybersecurity threats within their operations. The overall assessment includes an evaluation of a service provider’s breach notification policies and procedures and any reported cybersecurity incidents. Management is not aware of any cybersecurity incidents at any of its service providers that have materially affected or are reasonably likely to materially affect the Partnership’s operations. Notwithstanding the extensive approach the Partnership takes to cybersecurity in conjunction with Greystone, the Partnership may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Partnership. See " Item 1A. Risk Factors ," for a discussion of cybersecurity risks. Governance Certain employees of Greystone Manager that provide services to the Partnership are responsible for assessing and managing material risks from cybersecurity threats and are overseen by the Partnership’s Chief Financial Officer. The Chief Financial Officer and relevant Greystone Manager employees collectively have over 20 years of experience in information technology risk assessment and audit evaluations. These individuals will also consult with experts from Greystone’s affiliate that provides information technology managed services systems, particularly the Chief Information Security Officer of the Greystone affiliate, when assessing and evaluating risks of cybersecurity threats. These consultations with the Chief Information Security Officer typically encompass a broad range of 44 topics, including the current cybersecurity landscape and emerging threats; the status of ongoing cybersecurity initiatives and strategies; incident reports and learnings from any cybersecurity events; and compliance with regulatory requirements and industry standards. The Greystone affiliate’s Chief Information Security officer and Information Security Committee (made up of key information technology personnel) are responsible for establishing, maintaining, and monitoring the cybersecurity ecosystem at the Greystone affiliate. The Chief Information Security Officer and Information Security Committee together have over 25 years of experience in information technology managed services systems and cybersecurity. The Partnership has established incident response procedures to be followed in the event of a cybersecurity incident that is overseen by the Partnership’s Chief Executive Officer and Chief Financial Officer. The Chief Executive Officer and the Chief Financial Officer are notified of cybersecurity incidents as soon as the Partnership receives notification from a third-party service provider or is informed by other means, and will determine if additional internal and/or external resources are needed to evaluate , mitigate, and remediate the cybersecurity incident. At a minimum, the Board of Managers will be notified of material cybersecurity incidents prior to any public announcement and will receive updates on material developments and remediation activities. The Board of Managers considers risks from cybersecurity threats in conducting its oversight of the Partnership’s overall risk assessment, primarily through the activities of the Audit Committee of the Board of Managers. The Chief Financial Officer reports to the Audit Committee the results of the evaluation of risks from cybersecurity threats, the process, procedures and internal controls designed to address such risks, and other relevant information needed for the Audit Committee to operate its oversight responsibilities. The Partnership’s internal audit function reports to the Audit Committee annually the results of its assessment of design and operating effectiveness testing of internal controls. In addition, the Audit Committee conducts an annual review of the Partnership’s cybersecurity posture and the effectiveness of its risk management strategies. This review assists in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework of the Partnership. Additional third parties, contracted with by our third-party service providers, also play a role in the Partnership’s overall cybersecurity. Our third-party service providers engage with a range of additional third-party service providers and external experts, including cybersecurity assessors, consultants, and auditors, to evaluate and test their risk management systems. These services include, but are not limited to, penetration testing, independent audits, and consulting on best practices to address new challenges, and also include testing both the design and operational effectiveness of our security controls. These engagements enable our service providers to leverage specialized knowledge and insights, ensuring cybersecurity strategies and processes remain at the forefront of industry best practices. Risks from Cybersecurity Incidents The Partnership has not encountered, to its knowledge, a cybersecurity incident that has materially impaired, or is reasonably likely to materially impair, our business strategy, operations, or financial condition. There can be no assurance that such effects may not occur in the future.

Company Information