ExchangeRight Income Fund 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

ExchangeRight Income Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 12:00:47 EST.

Filings

10-K filed on 2025-02-27

ExchangeRight Income Fund filed a 10-K at 2025-02-27 12:00:47 EST
Accession Number: 0000950170-25-028554

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. As a real estate company with hundreds of properties located across the United States, we guard against a multitude of cybersecurity risks that range from threats common to most industries, such as ransomware and denial-of-service, to threats from more advanced, persistent, or organized actors, including those acting on behalf of nation-states that target critical infrastructure sectors. Tenants, lenders, suppliers, subcontractors, and equity partners throughout the industry face similar cybersecurity risks, and a cybersecurity incident impacting us or a related entity could materially adversely affect operations, performance, or operating results. These and related risks make it imperative that we vigilantly tend to the social, physical, and logical aspects of our cybersecurity. Identifying, assessing, and mitigating cybersecurity and related risks are disciplines we integrate into our overall enterprise risk management (“ERM”) process. Our ERM process and cybersecurity policies are based on the National Institute of Standards and Technology and Consensus Audit Guidelines. As part of our process, we complete continuous vulnerability scanning, end point detection and response, employee cybersecurity awareness training, and security monitoring. To the extent our ERM process identifies any relevant heightened cybersecurity related threat, we assign risk owners to develop mitigation plans, which we then track until full execution aligned with our Incident Response Plan. The Company is committed to the ongoing development and implementation of stringent processes to oversee and manage the risks associated with third-party service providers. Our policy is to conduct thorough security assessments of key third-party service providers prior to engagement , and to ensure compliance with our cybersecurity standards. Monitoring includes quarterly security assessments and annual evaluation of security controls. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Notwithstanding our commitment to high standards for cybersecurity, we may not always be successful in preventing a potential cybersecurity incident that could have a material adverse effect. See " Item 1A. Risk Factors " for a discussion of cybersecurity risks. Governance Oversight by Key Principals The Key Principals are the sole managers of ExchangeRight, which is the sole member and manager of our Trustee, and, accordingly, act as the directors of the Company . The Key Principals oversee management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. The Key Principals are acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Key Principals are committed to effective governance in managing risks associated with cybersecurity in order to uphold operational integrity and stakeholder confidence. Management’s Role in Assessing and Managing Cybersecurity Risk ExchangeRight’ s Senior Information Technology and Enterprise Applications Manager leads our information security team , which is responsible for developing and executing our enterprise-wide cybersecurity strategy. With over 13 years of experience in information technology, security strategy, program management, and internal controls, our information security team brings extensive expertise in evaluating, implementing, and overseeing security initiatives that protect our organization from cyber threats. The information security team’s background includes information technology governance, risk management & compliance, security controls, and enterprise application security, ensuring our systems align with best practices and regulatory standards. As a control owner for Information Technology General Controls (“ITGCs”), they oversee security reviews, change management processes, and system integrity for critical applications, such as enterprise resource planning (“ERP”) and enterprise software solutions. Additionally, they have played a key role in architecting and managing secure 52 operational workflows, leading ERP implementations, and ensuring compliance with internal controls over financial reporting, pursuant to Section 302 of the Sarbanes-Oxley Act, and audit requirements. Under their leadership, the information security team continuously strengthens our enterprise security posture, mitigating cyber risks while enhancing system resilience to minimize business disruptions. Recognizing that cybersecurity is a shared responsibility, they foster a corporate culture of security awareness and accountability, ensuring that employees beyond the security team remain vigilant against evolving cyber threats. The Senior Information Technology and Enterprise Applications Manager notifies the Key Principals of our cybersecurity and information security posture as appropriate and the Key Principals are apprised of cybersecurity incidents deemed to have any relevant business impact. The Key Principals, Senior Information Technology and Enterprise Applications Manager, our Chief Financial Officer, Chief Accounting Officer, and our Executive Managing Principal maintain an open dialogue regarding emerging or potential cybersecurity risks. The Senior Information Technology and Enterprise Applications Manager keeps them appraised of updates on any significant developments in the cybersecurity domain, ensuring the Key Principals’ oversight is both proactive and responsive. The Senior Information Technology and Enterprise Applications Manager is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Senior Information Technology and Enterprise Applications Manager oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the information security team is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Key Management Personnel As disclosed above, the primary responsibility for our overall information security strategy and directive resides with our Senior Information Technology and Enterprise Applications Manager with reliance on our information security team . With over 50 years of cumulative experience in the field, ExchangeRight ’ s information security team brings a wealth of expertise to our organization. The team includes individuals with backgrounds in Information Technology, Data Science, Enterprise Applications, and Business Development. Their in-depth knowledge and expertise are instrumental in developing and executing our cybersecurity strategies . Risks from Cybersecurity Incidents To date, we have not encountered, to our knowledge, a cybersecurity incident that has materially impaired, or is reasonably likely to materially impair, our operations or financial condition . There can be no assurance that such effects may not occur in the future.

Company Information