BrightSpire Capital considers its information and information systems to be valuable and vital assets and must be protected as such. BrightSpire Capital maintains policies and supporting procedures designed to help ensure the security and confidentiality of its information and information systems to ensure that information and information systems are properly protected from a variety of threats such as error, fraud, embezzlement, sabotage, terrorism, extortion, industrial espionage, privacy violation, service interruption, and natural disaster. Information is protected according to its sensitivity, value, and criticality with particular focus given to protecting personal identifying information, unpublished financial results and other data deemed proprietary to the Company. All BrightSpire Capital employees and service providers prioritize protecting and otherwise managing Company information assets, and recognize that information security is an important part of the Company's business. Having recently internalized, the Company has focused on the following cybersecurity initiatives.

Responsible Parties

The Company engaged a global leader in end-to-end technology solutions (the “BrightSpire IT Partner”) to advance and maintain a comprehensive cybersecurity program at BrightSpire Capital. We also hired a dedicated senior employee to lead IT oversight and functions, together with the Company’s Chief Financial Officer, General Counsel and aforementioned BrightSpire IT Partner. Benefits provided by the BrightSpire IT Partner include significant reduction in critical vulnerabilities, cost effective governance and risk services, current expertise/awareness to model, adapt to and mitigate new threats, leverage internal team resources to focus on business priorities, and effectively meet and manage evolving regulatory requirements in real time.

Cybersecurity Program

The cybersecurity program includes: (i) implementation of hardware and software infrastructure; (ii) policies, processes and procedures (including network security, password and incident response policies); (iii) employee education, training and periodic testing; and (iv) assessments of internal resources and external vendors and systems.

Cloud Services

The Company migrated all company data and communication services to a best-in-class cloud-based service provider, security systems and protected environment. Employees working from home connect through a virtual private network (VPN).

Security First Approach

Our cloud-based systems take a security first approach, including: (i) Perimeter Security (firewalls, antivirus, malware); (ii) Network Security (secure remote access, network patch management); (iii) Application Security (patch management, multi-factor authentication); (iv) Endpoint Security (email security/encryption, web filtering & URL defense, mobile device management); and (v) Data Security.