Comstock Holding Companies, Inc. 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

Comstock Holding Companies, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 09:13:15 EDT.

Filings

10-K filed on 2025-03-21

Comstock Holding Companies, Inc. filed a 10-K at 2025-03-21 09:13:15 EDT
Accession Number: 0001299969-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy To mitigate cybersecurity risks, we continuously assess and enhance our security processes and procedures. We collaborate with industry-leading managed security service providers to strengthen our ability to identify, assess, prevent, and respond to cybersecurity threats. Our information technology operations and security processes are being aligned with the National Institute of Standards and Technology (NIST) framework to further standardize and improve our security posture. As part of our commitment to a cloud-first strategy, we prioritize the use of SaaS-based solutions for critical business functions. These third-party providers conduct annual Statement on Standards for Attestation Engagements (“SSAE”) audits, ensuring compliance with industry best practices. We have adopted a cybersecurity risk management framework designed to identify and mitigate potential cybersecurity risks, which is being integrated into our overall enterprise risk management program. Our risk assessments are informed by third-party cybersecurity experts, who conduct annual internal penetration tests and monthly vulnerability scans to continuously evaluate and strengthen our security posture. Cybersecurity risks are categorized using a Critical, High, Medium, and Low risk scoring methodology. These assessments are performed through a combination of automated tools, manual audits, and expert evaluations, allowing us to implement effective controls that enhance our security framework. In addition, we have introduced annual cybersecurity awareness training, phishing simulations, and ongoing communication initiatives to strengthen organizational awareness of cybersecurity risks and threat prevention. To date, we and our subsidiaries have not experienced any material cybersecurity incidents. Governance Cybersecurity is a key component of our enterprise risk oversight framework, with our Board of Directors actively engaged in overseeing cybersecurity risk management. While management is responsible for day-to-day cybersecurity operations, the Board ensures that our cybersecurity risk management strategies are effectively implemented. The Board is briefed on material cybersecurity incidents as necessary to maintain transparency and informed decision-making. Our Vice President of Information Technology leads our cybersecurity strategy, programs, and risk management processes. With over 30 years of experience in IT, including 15+ years in cybersecurity, the Vice President provides strategic oversight and ensures alignment with industry best practices. This role is supported by a team of cybersecurity professionals with formal training and specialized expertise, as well as partnerships with managed security service providers focused on proactive threat detection, incident response, and risk mitigation. As part of our annual enterprise risk assessment, cybersecurity risks are ranked and reviewed by executive management. In the event of a cybersecurity incident, the Vice President of Information Technology, in collaboration with our cybersecurity partners, would conduct a comprehensive impact assessment. This assessment would outline both potential and actual risks, along with necessary remediation steps. If an incident is deemed material, the Vice President would escalate the matter to the Board of Directors, who would determine whether disclosure to customers or investors is required.

Company Information