Lument Finance Trust, Inc. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

Lument Finance Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 17:19:28 EDT.

Filings

10-K filed on 2025-03-19

Lument Finance Trust, Inc. filed a 10-K at 2025-03-19 17:19:28 EDT
Accession Number: 0001628280-25-013886

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As an externally managed company, our day-to-day operations are managed by our Manager and our executive officers under the supervision of our board of directors and its committees. Our executive officers are senior investment professionals provided to us through our Manager pursuant to our management agreement with our Manager. Our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of ORIX USA, a diversified financial company and subsidiary of ORIX and participates in and is subject to ORIX USA’s cybersecurity program. Accordingly, we rely and Manager relies on ORIX USA and its cybersecurity risk management program to identify, assess and manage material risks to our business from cybersecurity threats. To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected nor, are they reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats affect our business see, “Part I. Item IA. Risk Factors - the occurrence of cyber-incidents, or a deficiency in our Manager’s Cybersecurity or those of any of our third party service providers, could negatively affect our business by causing a disruption to our operations, a compromise of our confidential information or damage to our business relationships or reputation, all of which could negatively impact our business and results of operations” in this Annual Report on Form 10-K. Cybersecurity Governance Our board of directors is responsible for directing and overseeing our risk management. Our board of directors administers this oversight function directly, with support from its committees. In particular, the audit committee of our board of directors (the “Audit Committee”) has the responsibility to consider and discuss our major financial risk exposures and the steps our Manager should take, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our Audit Committee also monitors compliance with legal and regulatory requirements, in addition to overseeing the performance of our internal audit function. Pursuant to the Management Agreement, our Manager is responsible for identifying, assessing, and managing our material risks from cybersecurity threats. Our Manager relies on ORIX USA and ORIX USA Information Technology and Cybersecurity Team, including the ORIX USA Chief Technology Officer (“CTO”), to provide us with a comprehensive cybersecurity risk management program. Periodically, at least annually, ORIX USA’s CTO and/or other members of the ORIX USA Information Technology and Cybersecurity Team will present to the Audit Committee on various topics relating to ORIX USA’s technology risks, including ORIX USA’s cybersecurity program (including the results of cybersecurity tabletop exercises), cybersecurity issues (including those relating to data protection, insider threats, regulatory changes and geopolitical cyber threat management) and risk management (including the results of periodic technology audits) . Cybersecurity Risk Management and Strategy ORIX USA has engaged HCLTech (“HCL”) to manage all infrastructure and cybersecurity services for ORIX USA and its subsidiaries, under the governance of the ORIX information and cybersecurity leadership team. HCL has over twenty-five years’ experience in cybersecurity, nine cybersecurity delivery centers strategically placed across the globe, and employs over 7,000 cybersecurity professionals. The ORIX information and cybersecurity leadership team and HCL are considered the “ORIX USA Information Technology and Cybersecurity Team”. HCL will deliver the managed security services to ORIX USA from its Offshore Management Center (OMC) and Cybersecurity Fusion Centers (CSFC) providing 24x7 operations that cover ORIX USA’s cybersecurity landscape including network security, email security, endpoint security, data security, application security, cloud security, privileged access management, vulnerability management, cybersecurity incident response, cybersecurity third-party risk, cybersecurity awareness training, phishing simulations and identity and access management. The ORIX USA CTO, leads the ORIX USA Information Technology and Cybersecurity Team responsible for managing information security at ORIX USA’s asset management business, including its cybersecurity strategy and program, which encompasses annual employee training about cybersecurity risks and new employee onboarding about ORIX USA’s security policies. The ORIX USA Information Technology and Cybersecurity Team’s responsibilities cover three main areas: (i) operations and engineering, (ii) threat detection and response, and (iii) governance. The ORIX USA CTO leads the cybersecurity team with over four years of experience at ORIX USA and 18 prior years of experience at a large asset management firm . This cybersecurity program is aligned with the NIST Cybersecurity Framework (“NIST CSF”), emphasizing training and development. ORIX USA employs a ‘defense in depth’ cybersecurity strategy and program based on the NIST CSF, which includes multiple layers of security policies, protections, and controls designed to safeguard the confidentiality, integrity, and availability of infrastructure, network and information assets from malware and threats. This includes the deployment of next generation firewalls, web application firewalls, email protection technologies, DLP technologies, internet proxy, and next generation antivirus and endpoint detection and response (“EDR”) systems. Our firewalls (intrusion detection systems and intrusion prevention systems) are designed to secure the organization’s perimeter complemented by an antivirus and EDR platform designed to detect malware and threats on systems. Web application firewalls are designed to protect external facing applications, while our email security gateway utilizes machine learning and multilayered detection techniques designed to filter malicious emails. 31 The ORIX USA Information Technology and Cybersecurity Team monitors security events via a SIEM (security information and event management) and SOAR (security orchestration, automation, and response) platform. Mobile device management software is employed with the objective of protecting corporate email and data on mobile devices and is designed to prevent unauthorized data transfer. ORIX USA maintains a cybersecurity incident response capability that includes detailed policies, plans and modular run books and maps designed around different types of cybersecurity incidents. The plan and run books are tested annually through cybersecurity tabletop simulations where incident response technical, and executive team members go through real-world scenarios focused on current cybersecurity threats. ORIX USA’s cybersecurity incident response plan provides for escalation of identified cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of cybersecurity threats and incidents, assessment of cybersecurity risk profile or certain newly identified risks relevant to our Company, and evaluation of the adequacy of our cybersecurity program, including risk mitigation, compliance and controls. ORIX USA has established a notification decision framework to determine when to send notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notification to different recipient groups, including our Manager and officers of LFT.

Company Information