Cohen & Steers Income Opportunities REIT, Inc. 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 14, 2025

Cohen & Steers Income Opportunities REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 16:09:07 EDT.

Filings

10-K filed on 2025-03-13

Cohen & Steers Income Opportunities REIT, Inc. filed a 10-K at 2025-03-13 16:09:07 EDT
Accession Number: 0001939433-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are externally managed by the Advisor, a subsidiary of Cohen & Steers. Representatives of the Company and the Advisor operate the Company’s business through Cohen & Steers’ information systems. Our business depends on the effectiveness of our and Cohen & Steers’ information and cybersecurity policies and procedures to protect our and Cohen & Steers’ network and telecommunications systems and the data that reside in or are transmitted through such systems. Cybersecurity is a crucial component of our risk management program and of Cohen & Steers’ enterprise risk management program. Cohen & Steers has implemented and maintains various information security processes designed to identify, assess and manage material risks from cybersecurity threats to its critical computer networks, third-party hosted services, communications systems, hardware and software and critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and information relating to Advisor clients and investments. Cohen & Steers’ cybersecurity risk management function is led by its Cybersecurity Management team which is composed of its Chief Information Security Officer (“CISO”), Chief Technology Officer (“CTO”), members of its Information Technology (“IT”) department as well as members of its Legal and Compliance departments. Its Cybersecurity Management team is primarily responsible for developing, implementing and monitoring its cybersecurity program and reporting on cybersecurity matters to Cohen & Steers’ senior management as well as our audit committee, on behalf of our Board. Members of Cohen & Steers’ Cybersecurity Management team identify and assess risks from cybersecurity threats by monitoring its threat environment and enterprise risk profile using various manual and automated tools as well as by: (i) utilizing shared information about vulnerabilities and exploits from professional security organizations, reports or other services that identify cybersecurity threats and through the use of external intelligence feeds; (ii) analyzing reports of threats and actors; (iii) conducting periodic vulnerability scans of Cohen & Steers’ IT environment; (iv) evaluating Cohen & Steers’ and its industry’s risk profile; (v) evaluating threats that are reported to Cohen & Steers; (vi) coordinating with law enforcement concerning threats; (vii) conducting internal and external audits of Cohen & Steers’ information security control environment and operating effectiveness; and (viii) conducting threat assessments for internal and external threats, including through the use of third party threat assessments and vulnerability threat assessments. 76 Cohen & Steers has implemented and maintains various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats, including: - technical and physical safeguards : (i) real-time security information and event monitoring of systems, workstations, servers and networks, and periodic internal and external vulnerability scans; (ii) asset management tracking and disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from Cohen & Steers’ personnel and from third parties regarding issues and signs of potential incidents; and (vi) logical access controls and network security controls; and - organizational safeguards : (i) incident response plans that address Cohen & Steers’ response to a cybersecurity incident; (ii) personnel and vendors dedicated to overseeing Cohen & Steers’ cybersecurity program; (iii) periodic mandatory employee cybersecurity training; (iv) periodic risk assessments and testing of Cohen & Steers’ policies, standards, processes and practices designed to address cybersecurity threats and incidents; (v) policies and programs such as security standards, a vendor risk management program, a vulnerability management policy and disaster recovery and business continuity plans; and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents. Cybersecurity risk management is integrated into Cohen & Steers’ overall enterprise risk management process. For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by Cohen & Steers’ IT security team; (ii) internal and external penetration tests are performed to identify vulnerabilities and findings are risk ranked based on potential likelihood and impact; and (iii) members of Cohen & Steers’ Cybersecurity Management report on cybersecurity risk management and related matters to our audit committee, as part of their ongoing evaluation and oversight of such risk pursuant to non-exclusive authority delegated by the Board. Cohen & Steers uses third-party service providers to assist in identifying, assessing and monitoring material risks from cybersecurity threats, including through penetration testing, provision of threat intelligence and continuous monitoring of Cohen & Steers’ environment. Members of the Advisor’s management report key findings to our audit committee and Cohen & Steers adjusts its cybersecurity policies, standards, processes and practices as necessary based in part on information provided by these assessments and engagements. Cohen & Steers also uses third-party service providers to perform a variety of functions throughout its business, such as application providers, hosting companies and supply chain resources. Cohen & Steers maintains a risk-based approach to identifying and overseeing cybersecurity risks and vulnerabilities presented by its engagement of third parties, as well as the information systems of third parties that could adversely impact its business in the event of a cybersecurity incident affecting those third-party systems. Cohen & Steers’ vendor risk management program may involve different assessments designed to help identify cybersecurity risks including: (i) vendor risk assessments; (ii) security questionnaires; (iii) vendor audits; (iv) vulnerability scans relating to vendors; (v) security assessment calls with the vendor’s security personnel and its review of the vendor’s written security program, security assessments and other reports; (vi) evidence of cybersecurity preparedness through a System and Organization Controls (“SOC”) 1 or SOC 2 report; and (vii) the imposition of contractual obligations on the vendor. For a description of the risks from cybersecurity threats that may materially affect the Company, see our risk factors under Part 1. Item 1A. “Risk Factors” in this Annual Report on Form 10-K, including under the caption “We could incur financial losses, reputational harm and regulatory penalties if we or Cohen & Steers fail to implement effective information security policies and procedures.” Governance Our cybersecurity risk assessment and management processes are implemented and maintained by members of Cohen & Steers’ Cybersecurity Management , including its CISO, CTO and Head of IT Infrastructure. - Cohen & Steers’ CISO oversees the information security group and program within its IT department, has over 25 years of experience, including similar roles at other financial services companies, holds the Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certifications and is registered with FINRA for the Series 99. - Cohen & Steers’ CTO oversees its IT department and has served in various roles in information technology for over 29 years, including senior leadership roles at another financial services company. 77 - Cohen & Steers’ Head of IT Infrastructure oversees the infrastructure and service desk within its IT department and has served in various roles in information technology for over 13 years. Members of Cohen & Steers’ Cybersecurity Management, including its CISO and its CTO, are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Cohen & Steers’ overall risk management strategy and communicating key priorities to relevant personnel. Members of Cohen & Steers’ Cybersecurity Management, including its CISO and its CTO, are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Cohen & Steers’ cybersecurity incident response plan is a key component of its cybersecurity program. The response plan is designed to report certain cybersecurity incidents to members of Cybersecurity Management , who then work with Cohen & Steers’ incident response team to help control, mitigate and remediate cybersecurity incidents. In addition, the response plan includes prompt reporting to our Board (or the audit committee) of certain cybersecurity incidents and related materiality and disclosure determinations. Our Board has delegated the primary responsibility for oversight and review of the Company’s cybersecurity program to the audit committee. The audit committee actively participates in discussions regarding cybersecurity risk exposures and steps taken by management of Cohen & Steers to monitor and mitigate such risks, further to their responsibility to manage, oversee and remain informed about the most significant risks to our Company and align our risk exposure with our strategic and business objectives. At least annually, the audit committee reviews with the Advisor and Cohen & Steers’ CISO and its CTO Cohen & Steers’ cybersecurity program, including the robustness and efficacy of Cohen & Steers’ overall cybersecurity program, steps taken to enhance defenses and security measures in place and its established plans to identify, detect and respond to threats Cohen & Steers may encounter. The audit committee also annually reviews and discusses with the Advisor cyber insurance coverage. In addition, as necessary, our Board (or the audit committee) receives reports and communications from the Advisor regarding material risks and specific developments that may cover topics such as: the Advisor’s computerized information system controls; the impact of new cybersecurity-related rules and regulations; changes in the threat environment including new and emergent risks; and evolving information security standards and market practices, including with respect to peers and third parties. As of December 31, 2024, neither we nor Cohen & Steers had experienced any cyber incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.

Company Information