OppFi Inc. - (OPFI)

10-K Filing Date: March 27, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We confront substantial cybersecurity risks driven by various factors. These risks are rooted in the wide range of systems we must safeguard against cyberattacks, further exacerbated by the complexity and technical sophistication of our products and systems. Additionally, our reliance on third-party products, services, and components adds complexity to our risk landscape.

In response, we have adopted a cybersecurity program to manage cybersecurity risks, prioritizing the protection of data entrusted to us by our customers and other stakeholders. We employ various mechanisms, controls, technologies, and processes aimed at assessing, identifying, and managing these risks.

Our cybersecurity program is rooted in industry best practices, drawing upon frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization, and other relevant industry standards. This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use these standards as a guide to help us design and assess our program.

Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program. Regular cybersecurity risk assessments are conducted, leveraging both internal and external sources of information to drive alignment on initiatives aimed at enhancing security controls. We maintain a cybersecurity incident response plan that identifies the activities and escalation processes to be implemented upon detection of a cybersecurity incident, and we regularly test and evaluate the effectiveness of such plan.

Technical safeguards undergo periodic assessment and enhancement designed to protect information systems from cybersecurity threats, utilizing vulnerability assessments, threat intelligence, and incident response experience. Our policies also mandate that our employees contribute to our security efforts. We regularly remind our employees of the importance of handling and protecting customer and employee data through quarterly security training and testing, aimed at enhancing employee awareness and improving their ability to detect and respond to cybersecurity threats.

Additionally, controls have been implemented that are designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Certain providers undergo security risk assessments upon onboarding and upon detection of an increase in their risk profile. Our risk assessments utilize various inputs, including information supplied by the providers and third parties. Furthermore, we mandate that our providers meet appropriate security requirements, controls, and responsibilities. We also investigate security incidents impacting our third-party providers as necessary.

Our cybersecurity policies, standards, processes and practices are regularly assessed by external consultants and auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. For example, for the last three years, we conducted an independent cyber security risk assessment to assess our cybersecurity maturity against the NIST cybersecurity framework. The results of significant assessments are reported to management and our Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments.

For more information on our cybersecurity risks that may materially affect us, please refer to the section titled “Risk Factors – Security breaches of borrowers’ confidential information that we store may harm our reputation, adversely affect our results of operations and expose us to liability – and – If our risk management framework does not effectively identify and control our risks, we could suffer unexpected losses or be adversely affected, which could have a material adverse effect on our business.” While to date we have not identified any breaches from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, the sophistication of cybersecurity threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our program is designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner, which could result in substantial expenses and reputational damage.

Cybersecurity Governance

Our Board of Directors and management are actively involved in the oversight of our risk management program, with cybersecurity representing a critical component to ensure alignment with our strategic objectives. The Audit Committee directly
67

oversee and regularly review our cybersecurity program, receiving periodic reports from our Chief Information Security Officer (“CISO”) on various matters including risk assessment results, progress of risk reduction initiatives, feedback from external auditors, control maturity assessments, and relevant internal and industry cybersecurity incidents.

While our Board of Directors has overall responsibility for the oversight of our enterprise-wide risk management, of which cybersecurity risk management is one component, our management team is responsible for day-to-day risk management, including the implementation of our cybersecurity program. We have established an information security council (the “Information Security Council”), with full participation from our senior management team, to serve as the steward of our information security program. Designed to meet quarterly or more frequently as needed, the council reviews security performance metrics, stays abreast of industry trends and regulatory changes, and evaluates progress on security initiatives. The council plays a crucial role in promoting a culture of security awareness and ensuring OppFi remains resilient against evolving cyber threats.

Our corporate information security organization manages and continually enhances a robust enterprise security structure with the goal of averting cybersecurity incidents while increasing our system resilience to minimize the business impact should an incident occur. Led by our CISO, who reports to the Chief Technology Officer (“CTO”), our corporate information security organization is composed of seasoned professionals, some holding certifications such as Certified Information Systems Security Professional or Certified Information Security Manager. Our CTO has served in various leadership roles in information technology for over 20 years, including a nine-year tenure as the Chief Technology Officer at a fintech company. He holds a bachelor's degree in computer engineering and a master's degree in information systems. Our CISO, with over 20 years of leadership experience in IT and security, was a CISO at a financial services company before joining OppFi. She has an MBA and a master's degree in Computer Information Systems and is a Certified Information Security Manager (CISM). Additionally, both the CISO and CTO are members of the Information Security Council, providing regular updates to our senior management team regarding our cybersecurity program, mitigation strategy, and progress.