Chicago Atlantic Real Estate Finance, Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Chicago Atlantic Real Estate Finance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 07:00:28 EDT.

Filings

10-K filed on 2025-03-12

Chicago Atlantic Real Estate Finance, Inc. filed a 10-K at 2025-03-12 07:00:28 EDT
Accession Number: 0000950170-25-037616

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Assessment, Identification and Management of Material Risks from Cybersecurity Threats As an externally managed company, our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. We, in conjunction with our Manager, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats which prioritizes detection and analysis of and response to known, anticipated, or unexpected threats, effective management of security risks and resilience against cyber incidents. The Manager’s cybersecurity program is aligned to the National Institute of Standards of Technology (NIST) Cybersecurity Framework. Our Manager’s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risk from cybersecurity. Our Manager has implemented and continues to implement procedures to address internal and external threats to the security, confidentiality, integrity and availability of our and our Manager’s data and systems along with other material risks to operations and information of our shareholders and other third parties who entrust us with their sensitive information. As part of its collective risk management process, our Manager engages a third party information technology consultant (“IT Consultant “) to evaluate risks associated with the Manager’s information and technology system(s), network and physical devices. Our Manager’s cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of our Manager. Our Manager also has annual certification requirements for employees, including employees who provide services to us pursuant to our Management Agreement with respect to certain policies supporting the cybersecurity program including Chicago Atlantic’s Information Security and Electronic Communications policy, Data Protection Policy and Privacy Policy. Our Manager undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of our Manager and our critical third-party vendors and other partners. Our Manager also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations. Material Impact of Risks from Cybersecurity Threats As of the date of this report, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial , and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors- General Risk Factors-We rely on information technology in our operations, and security breaches and other disruptions in our systems could compromise our information and expose us to liability, which would cause our business and reputation to suffer.” Governance and Oversight of Cybersecurity Risks Our cybersecurity program is managed by IT Manager and our IT consultant , which together, are responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The team is led by our Manager’s IT Manager who has a bachelo r’s degree in Information Systems from Xavier University and over 15 years o f experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures for financial services companies. Our board of directors has responsibility for the direction and oversight of our risk management. Our board of directors administers this oversight function directly, with support from its committees. In particular, the audit committee of our board of directors (the “audit committee”) has the responsibility to consider and discuss our major financial risk exposures and the steps our Manager takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our audit committee also monitors compliance with legal and regulatory requirements. With respect to cybersecurity, the audit committee engages in discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. In addition, employees of our Manager and/or the IT Consultant will brief the audit committee on the Manager’s information security program and cybersecurity risks at least annually, and will brief the audit committee as needed in connection with any potentially material cybersecurity incidents affecting the Company. Annual briefings of the audit committee by employees of the Manager and/or the IT Consultant may include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. 60

Company Information