Item 1C. Cybersecurity.

Assessment, Identification and Management of Material Risks from Cybersecurity Threats

As an externally managed company, our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. We, in conjunction with our Manager, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats which prioritizes detection and analysis of and response to known, anticipated, or unexpected threats, effective management of security risks and resilience against cyber incidents. Our Manager's cybersecurity program is aligned to the National Institute of Standards of Technology (NIST) Cybersecurity Framework. Our Manager's cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risk from cybersecurity. Our Manager has implemented and continues to implement procedures to address internal and external threats to the security, confidentiality, integrity and availability of our and our Manager’s data and systems along with other material risks to operations and information of our shareholders and other third parties who entrust us with their sensitive information.

As part of its collective risk management process, our Manager has engaged a third party information technology consultant (“IT Consultant”) to evaluate risks associated with our Manager’s information and technology system(s), network and physical devices. Our Manager's cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of our Manager. Our Manager also has annual certification requirements for employees, including employees who provide services to us pursuant to our Management Agreement with respect to certain policies supporting the cybersecurity program including Chicago Atlantic's Information Security and Electronic Communications policy, Data Protection Policy and Privacy Policy. Our Manager undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of our Manager and our critical third-party vendors and other partners. Our Manager also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations.

Material Impact of Risks from Cybersecurity Threats

As of the date of this report, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors— General Risk Factors—We rely on information technology in our operations, and security breaches and other disruptions in our systems could compromise our information and expose us to liability, which would cause our business and reputation to suffer.”

Governance and Oversight of Cybersecurity Risks

Our Board has responsibility for the direction and oversight of our risk management. Our Board administers this oversight function directly, with support from its committees. In particular, the Audit Committee has the responsibility to consider and discuss

our major financial risk exposures and the steps our Manager takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. The Audit Committee also monitors compliance with legal and regulatory requirements.

Our cybersecurity program is managed by our Manager's IT Manager and our IT consultant, which together, are responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The team is led by our Manager's IT Manager who has a bachelor's degree in Information Systems from Xavier University and over 15 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures for financial services companies.

With respect to cybersecurity, the Audit Committee engages in discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. In addition, employees of our Manager and/or the IT Consultant will brief the Audit Committee on the Manager’s information security program and cybersecurity risks at least annually, and will brief the Audit Committee as needed in connection with any potentially material cybersecurity incidents affecting the Company. Annual briefings of the Audit Committee by employees of the Manager and/or the IT Consultant may include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures.