NewLake Capital Partners, Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

NewLake Capital Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 17:28:34 EST.

Filings

10-K filed on 2025-03-06

NewLake Capital Partners, Inc. filed a 10-K at 2025-03-06 17:28:34 EST
Accession Number: 0001854964-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We employ a risk management strategy for the assessment, identification and management of material risks stemming from cybersecurity threats. Our methodologies involve a systematic evaluation of potential threats, vulnerabilities, and their potential impacts on our organization’s operations, data, and systems. Our cybersecurity risk management program includes: - Risk assessments designed to help identify material cybersecurity risks to our critical systems, and our IT environment; - The use of third-party service providers to assess, test or otherwise assist with aspects of our security controls; - Cybersecurity awareness training of our employees and senior management through the use of third-party providers for regular mandatory trainings; - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - We design and assess our program using the National Institute Cybersecurity Framework (“NIST CSF”) as a set of guiding principles. Our third-party service providers are primarily responsible for the security of their own information technology environments and in certain instances we rely significantly on third-party service providers to supply and store our sensitive data in a secure manner. All of these third parties face potential risks relating to cybersecurity similar to ours which could disrupt their businesses and therefore adversely impact us. While we provide guidance and specific requirements in some cases, we do not directly control any of these parties’ information technology security operations, or the amount of investment they place in guarding against cybersecurity threats. Accordingly, we are subject to any flaw or breaches to their information technology systems, or those which they operate for us, which could have a material adverse effect on our financial condition or results of operations. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - The occurrence of cyber incidents or cyberattacks could disrupt our operations, result in the loss of confidential information and/or damage our business relationships and reputation. Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity and other information technology risks. The Committee oversees management’s implementation of our cybersecurity risk management program. The Committee receives periodic reports from management on our potential cybersecurity risks and threats and receives presentations on cybersecurity topics. In addition, management oversees and identifies such risks from cybersecurity threats associated with our use of third-party service providers and works collaboratively with our third-party providers to test our systems security processes and prevent, monitor, detect, mediate and remediate cybersecurity threats and incidents, and will report such threats and incidents to the Audit Committee when appropriate. The Committee reports to the full board of directors regarding its activities, including those related to cybersecurity. 43 Our Chief Executive Officer , Anthony Coniglio, leads our cybersecurity risk assessment and management processes. Mr. Coniglio is an experienced risk management professional.Mr. Coniglio has served as our Chief Executive Officer, President and Chief Investment Officer, overseeing risk management activities. Previously, Mr. Coniglio was the Chief Executive Officer of Primary Capital Mortgage Company (“PCM”), a residential mortgage company, where he was responsible for overseeing information technology, including cybersecurity, for the highly regulated business. Mr. Coniglio currently serves on the board of St. Mary’s Hospital for Children, as chair of the IT & cybersecurity committee and chair of the audit committee. Mr. Coniglio oversees the development and enhancement of internal controls designed to prevent, detect, address, and mitigate the risk of cyber incidents. Since 2021, we have retained a third-party information technology provider to develop and maintain our information technology infrastructure, cloud network, and assist in the development of cybersecurity and information technology policies. Our third-party provider is MSPAlliance(R) Cyber Verified, which has been examined by an independent third-party public accounting firm and has successfully met the applicable 10 control objectives and underlying controls and requirements. Management plays a key role in incorporating cybersecurity risk considerations into our boarder risk management framework and ensuring that essential priorities are communicated to the appropriate personnel. Management is responsible for approving cybersecurity processes, reviewing cybersecurity assessments and other cybersecurity-related matters, and responding to cybersecurity incidents, including but not limited to reporting cybersecurity incidents to the audit committee as described above. Our management team also evaluates the potential impact of cybersecurity incidents. If any such incidents should occur, management’s evaluation considers factors such as the nature. scope and materiality of the incident, and its effects on the Company’s operations. As of the date of this Annual Report on Form 10-K, we have not identified of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

Company Information