VINEBROOK HOMES TRUST, INC. 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

VINEBROOK HOMES TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 17:18:39 EDT.

Filings

10-K filed on 2025-03-28

VINEBROOK HOMES TRUST, INC. filed a 10-K at 2025-03-28 17:18:39 EDT
Accession Number: 0001755755-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company’s Board recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to risk management. As the historic external property manager of the VineBrook Portfolio and a current subsidiary that engages in property management functions and employs the majority of our employees, we maintain cybersecurity policies, standards, processes and practices at the Manager that cover our 20 physical office locations and over 525 employees. In general, we seek to address cybersecurity risks of the Company through a comprehensive, cross-functional approach that is focused on continually assessing our information systems to detect, prevent and mitigate cybersecurity threats and effectively respond to cybersecurity incidents when they occur. As one of the critical elements of our overall risk management, our cybersecurity program is focused on the following key areas: Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which interacts with our Adviser’s Director of Information Technology, our management and the Interim Chief Technology Officer of the Manager that implement and oversee our cybersecurity program. Risk Assessment: No less frequently than annually, we complete an assessment to identify potential cybersecurity threats and vulnerabilities to better prioritize and mitigate our cybersecurity risk. The assessment includes, among other things, evaluating the nature, sensitivity and location of information the Company collects, processes and stores and the resiliency of the underlying technologies, the validity and effectiveness of the Company’s security policies, controls and processes and the cybersecurity preparedness of the third-party vendors used by the Company. We complete internally managed weekly vulnerability testing and monthly penetration testing. To supplement our internal assessment, we also engage third-party consultants to assess system configurations through configuration review and annual penetration testing. Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, multi-factor authentication, and single-sign on for all employees required to access line of business applications, intrusion prevention and detection systems, anti-malware functionality and access controls. Our technical safeguards are evaluated and improved through the use of first and third party vulnerability assessment tools and cybersecurity threat intelligence. Incident Response and Recovery Planning: We have established and maintained an incident response process and have associated policies in place. As of the date of this filing, we are undertaking an update to our network and system and as such our incident response plan is being updated. Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including key vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. This includes reviews with our technology partners who provide the commercial off the shelf software applications we rely on to deliver business services. Education and Awareness: We work in partnership with our human resources team to provide mandatory training for our employees regarding cybersecurity threats as a means to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address the Company’s cybersecurity threats and incidents. These efforts include a wide range of activities, including third-party annual penetration testing, internally managed weekly vulnerability testing and monthly penetration testing, third-party compliance testing and ongoing internal testing and creation and modification of policies and procedures. The results of these assessments are reported at least annually to the Audit Committee and the Board , and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments and ongoing testing. The Audit Committee oversees the Company’s risk management policies, including the management of risks arising from cybersecurity threats. The Audit Committee receives presentations and reports on cybersecurity risks, which address a wide range of topics including annual assessments of internal and third-party policies, vulnerability assessments, technological trends and information security considerations arising with respect to the Company. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Board and the Audit Committee discuss the Company’s approach to cybersecurity risk management with our management and the Director of Information Technology of our Adviser. The Interim Chief Technology Officer of the Manager, in coordination with relevant senior management, including but not limited to the Director of IT Operations, Information Security Manager, and General Counsel of the Manager and the Director of Information Technology of the Adviser, work to define, implement, and monitor the effectiveness of a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any security incidents in accordance with the Company’s incident response plan. To ensure the effectiveness of the relevant controls, our technology team monitors, updates, and evolves systems’ security postures to align to controls defined in the NIST Cybersecurity Framework. The Interim Chief Technology Officer of the Manager will promptly notify the Director of Information Technology of our Adviser, who will then notify the General Counsel of the Adviser and our President and Chief Executive Officer, of any cybersecurity events, with material cybersecurity events promptly communicated to the Audit Committee and publicly disclosed as deemed necessary. The Interim Chief Technology Officer of the Manager has served in various roles in information technology and information security over the previous 30 years, holding company officer roles for both private and publicly traded companies including Chief Information Officer, Chief Security Officer, Chief Information Security Officer and Chief Technology Officer. The Chief Technology Officer of the Manager holds numerous security and technology credentials maintained in good standing including Certified Information Systems Security Professional (CISSP), as well as holding in good standing specialized security operations and data privacy credentials including ISACA Certified Information Security Manager (CISM) and IAPP Certified Information Privacy Manager (IAPP CIPM). The Adviser’s Director of Information Technology has served in various roles in information technology and information security for 25 years, including serving as Global Technology Manager at a multi-national publicly traded broker-dealer, and 15 years as the Director of Information Technology at a privately held financial services firm. The Adviser’s Director of Information Technology holds an undergraduate degree in biochemistry and has attained numerous information technology certifications over the years including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified network Professional (CCNP). The Adviser’s Senior Infrastructure Engineer has over 20 years industry experience, holds an undergraduate degree in radiology, and has completed various Microsoft related information technology certifications. Combined, our Adviser’s information technology team has over 50 years of experience covering all major aspects of network architecture and management. In addition to our cybersecurity policies, standards, processes and practices, our Adviser maintains cybersecurity policies, standards, processes and practices that are based on recognized security frameworks such as the National Institute of Standards and Technology cybersecurity framework and the Azure Security Benchmark. Our Adviser deploys technical safeguards that are designed to protect our Adviser’s information systems from cybersecurity threats and completes internal and external assessments to identify potential cybersecurity threats and vulnerabilities and to identify and oversee cybersecurity risks presented by third parties. The Adviser’s Director of Information Technology, in coordination with relevant personnel of the Adviser, works to conceive, implement, and monitor the effectiveness of a program designed to protect their information systems from cybersecurity threats and to promptly respond to any security incidents. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, and we do not believe are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition . However, the risk of cybersecurity threats could be significant if the cyber-attack disrupts the Company’s critical operations, service or financial systems. See Item 1A. “Risk Factors, Risks Related to Our Business and the Single-Family Rental Housing Market, We are highly dependent on information technology and security breaches or systems failures could significantly disrupt our business” and “Breaches of our data security could materially harm our business and reputation.”

Company Information