Shepherd's Finance, LLC 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

Shepherd’s Finance, LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 16:32:15 EDT.

Filings

10-K filed on 2025-03-19

Shepherd’s Finance, LLC filed a 10-K at 2025-03-19 16:32:15 EDT
Accession Number: 0001493152-25-010927

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We face cybersecurity risks due primarily to our position in the industry and identity as a financial service company with potential for harm that could occur to us, our investors and our customers were we to suffer impacts of a material cybersecurity incident. We are committed to maintaining robust governance and oversight of these risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not , as of the date of this Annual Report, experienced a cybersecurity threat or incident that resulted in a material adverse impact or are reasonably likely to have material adverse impact on our business or operations, our business strategy, results of operations, or financial condition, there can be no guarantee that we will not experience such an incident in the future. In addition, the environment and threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We only use industry leading third party software applications for our operations and we rely on their technology to assess potential cybersecurity threats. We seek to detect and investigate unauthorized attempts and attacks against our network and services which are also dependent on third parties (multiple law firms, banks, settlement and title entities) and their technology, and to prevent their occurrence and recurrence where practical through changes, updates and enhancements to our internal processes and tools. We have an internal process to consider the cybersecurity practices of our third-party service providers and we actively review their cybersecurity notices and alerts on an ongoing basis. Our assessment of risks associated with the use of third-party providers is part of our overall risk management framework. However, we remain potentially vulnerable to known or unknown threats. We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed periodically by independent subject matter expert third parties who hold industry leading certifications such as Certified Information Systems Security Professional (CISSP), GIAC Certified Intrusion Analyst (GCIA), and GIAC Certified Incident Handler (GCIH). We have processes in place to identify, access, and address material cybersecurity threats and incidents with the help of the above noted expert third parties as needed. We monitor issues that are internally discovered or externally reported that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk . Pursuant to our Audit Committee Charter, our Audit Committee is responsible for reviewing and assessing our risk assessment and risk management policies, including oversight of cybersecurity risk. Our risk assessment policy is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures . Our Board of Managers, with the assistance of our Audit Committee and Technology Committee, regularly reviews our cybersecurity program with management and reports to the Board of Managers . Messrs. Wallach and Sheldon, both members of our Technology Committee and our Board of Managers, bring extensive experience in security governance, risk, and compliance, with prior leadership experience in public and private companies, where they closely worked with massive IT departments to handle with cybersecurity risks, information technology and data protection . Cybersecurity reviews generally occur at least annually, or more frequently as determined to be necessary or advisable. We have an escalation process in place to inform senior management and the Board of Managers of material issues.

Company Information