Cybersecurity at Canyon Creek Investment Advisors

In an era of evolving digital threats, we believe that robust cybersecurity is a fundamental component of our fiduciary duty to you. We have implemented a comprehensive cybersecurity program governed by our internal policies (OPS-01) and designed to meet or exceed regulatory standards. Our approach is proactive, covering everything from the technology we use to the daily habits of our team.

1. Our Technical Defenses

We utilize a suite of advanced technical controls to safeguard our infrastructure:

• Enterprise-Grade Protection: Our systems are protected by continuous anti-virus software, firewalls, and intrusion detection systems that monitor for suspicious activity 24/7.

• Encryption: Your data is encrypted both when it is stored on our servers ("at rest") and when it is being transmitted ("in transit"). This ensures that even if data were intercepted, it would remain unreadable and useless to unauthorized parties.

• Secure Cloud Infrastructure: We partner with industry-leading technology providers who adhere to strict security standards, verified through rigorous due diligence processes.

2. Identity & Access Management

Preventing unauthorized access is our first line of defense. We employ strict identity verification protocols to ensure only the right people can access sensitive information:

• Multi-Factor Authentication (MFA): We require MFA for all critical systems. This means that even if a password is compromised, an attacker cannot access our systems without a second form of verification, such as a code sent to a mobile device.

• Least-Privilege Access: We operate on a "need-to-know" basis. Access to client data is restricted strictly to the personnel who require it to service your account.

• Rapid Revocation: If an employee leaves the firm, their access to all systems is immediately revoked to prevent any unauthorized entry.

3. Remote Work Security

We understand that modern business often happens outside the office. We have established strict protocols to maintain security regardless of location:

• Secure Connections: Our team utilizes Virtual Private Networks (VPNs) to create a secure, encrypted tunnel for all data traffic when accessing firm resources remotely.

• Firm-Managed Devices: Business is conducted exclusively on firm-issued computers that are centrally managed and monitored. We strictly prohibit the use of personal devices for accessing client information.

• Device Security: If a device is ever lost or stolen, we have immediate protocols in place to remotely wipe all data and disable access credentials instantly.

4. A Culture of Vigilance

Technology is only effective when paired with human vigilance. We invest heavily in the training and preparedness of our team:

• Annual Risk Assessments: We conduct formal risk assessments every year to identify new threats, test our defenses, and update our protocols.

• Mandatory Training: Every member of our staff undergoes mandatory annual cybersecurity training to recognize phishing attempts, social engineering, and other emerging security risks.

• Incident Response: In the unlikely event of a security incident, we have a tested Incident Response Plan in place to detect, contain, and resolve issues rapidly.