CNSREIT-AR-2024 Final - Flipbook - Page 94
Cohen & Steers has implemented and maintains various technical, physical and organizational measures, processes,
standards and policies designed to manage and mitigate material risks from cybersecurity threats, including:
"
technical and physical safeguards: (i) real-time security information and event monitoring of systems,
workstations, servers and networks, and periodic internal and external vulnerability scans; (ii) asset management
tracking and disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from
Cohen & Steers9 personnel and from third parties regarding issues and signs of potential incidents; and (vi) logical
access controls and network security controls; and
"
organizational safeguards: (i) incident response plans that address Cohen & Steers9 response to a cybersecurity
incident; (ii) personnel and vendors dedicated to overseeing Cohen & Steers9 cybersecurity program; (iii) periodic
mandatory employee cybersecurity training; (iv) periodic risk assessments and testing of Cohen & Steers9
policies, standards, processes and practices designed to address cybersecurity threats and incidents; (v) policies
and programs such as security standards, a vendor risk management program, a vulnerability management policy
and disaster recovery and business continuity plans; and (vi) insurance coverage dedicated to losses resulting from
cybersecurity incidents.
Cybersecurity risk management is integrated into Cohen & Steers9 overall enterprise risk management process. For
example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by Cohen & Steers9 IT
security team; (ii) internal and external penetration tests are performed to identify vulnerabilities and findings are risk
ranked based on potential likelihood and impact; and (iii) members of Cohen & Steers9 Cybersecurity Management report
on cybersecurity risk management and related matters to our audit committee, as part of their ongoing evaluation and
oversight of such risk pursuant to non-exclusive authority delegated by the Board.
Cohen & Steers uses third-party service providers to assist in identifying, assessing and monitoring material risks from
cybersecurity threats, including through penetration testing, provision of threat intelligence and continuous monitoring of
Cohen & Steers9 environment. Members of the Advisor9s management report key findings to our audit committee and
Cohen & Steers adjusts its cybersecurity policies, standards, processes and practices as necessary based in part on
information provided by these assessments and engagements.
Cohen & Steers also uses third-party service providers to perform a variety of functions throughout its business, such
as application providers, hosting companies and supply chain resources. Cohen & Steers maintains a risk-based approach
to identifying and overseeing cybersecurity risks and vulnerabilities presented by its engagement of third parties, as well as
the information systems of third parties that could adversely impact its business in the event of a cybersecurity incident
affecting those third-party systems. Cohen & Steers9 vendor risk management program may involve different assessments
designed to help identify cybersecurity risks including: (i) vendor risk assessments; (ii) security questionnaires; (iii) vendor
audits; (iv) vulnerability scans relating to vendors; (v) security assessment calls with the vendor9s security personnel and its
review of the vendor9s written security program, security assessments and other reports; (vi) evidence of cybersecurity
preparedness through a System and Organization Controls (
