Armour Residential REIT, Inc. - (ARR)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
37
Risk Management
We recognize the importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and protect the integrity and confidentiality of our data. ACM has established an Information Technology Steering Committee (the "ITSC”) to help mitigate technology risks including those relating to cybersecurity. One of the roles of the ITSC is to oversee cyber risk assessments, monitor applicable key risk indicators, review cybersecurity training procedures, oversee the Company’s Cybersecurity Incident Response Plan and engage third-party service providers to conduct periodic penetration testing, advise on current best practices and review policies and procedures.
Third-party Service Providers
The ITSC engages with external experts, including cybersecurity assessors and consultants in evaluating and testing our cyber risk systems. These engagements enable leveraging specialized knowledge and provides insight to attempt to ensure the cybersecurity strategies and processes are industry best practices. Our collaboration with these third-party service providers includes regular audits, threat assessments, and consultation on security enhancements.
Because of the risks associated with third-party service providers, the ITSC has implemented processes to oversee and manage these risks. Security assessments of key third-party providers are performed before engagement with ongoing monitoring performed to attempt to ensure compliance with cybersecurity standards. The monitoring includes quarterly assessments by the ITSC. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Our cybersecurity risk assessment includes an evaluation of cyber risk related to sensitive data held by third parties on their systems. There is no assurance that these efforts will effectively mitigate cybersecurity risk and mitigation efforts are not an assurance that no cybersecurity incidents will occur.
Risks from Cybersecurity Threats
We rely on our financial, accounting and other data processing systems. Computer malware, viruses, computer hacking and phishing attacks have become more prevalent in our industry and may occur on our systems. Although we have not detected a material cybersecurity breach to date, other financial services institutions have reported material breaches of their systems, some of which have been significant. Even with all reasonable security efforts, not every breach can be prevented or even detected. It is possible that we have experienced an undetected breach. There is no assurance that we, or the third parties that facilitate our business activities, have not or will not experience a breach. It is difficult to determine what, if any, negative impact may directly result from any specific interruption or cyber-attacks or security breaches of our networks or systems (or the networks or systems of third parties that facilitate our business activities) or any failure to maintain performance. See General risks common to ARMOUR and our peer mortgage REITs—We are highly dependent on information and communications systems. System failures, security breaches or cyber-attacks of networks or systems could significantly disrupt our business and negatively affect the market price of our common stock and our ability to distribute dividends in Item 1A. Risk Factors of this Form 10-K for further discussion.
Governance
Our Board is aware of the critical nature of managing risks associated with cybersecurity threats and has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. Our Audit Committee periodically monitors and oversees our information and cybersecurity risks including reviewing and approving any information and cybersecurity policies, procedures and resources, and reviewing our information and cybersecurity risk assessment, detection, protection, and mitigation systems.
Image2.jpg



ARMOUR Residential REIT, Inc.
Cybersecurity (continued)
38
Management’s Role
The ITSC and the Chief Executive Officer (“CEO") play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including:
Current cybersecurity landscape and emerging threats;
Status of ongoing cybersecurity initiatives and strategies;
Incident reports from any cybersecurity events; and
Compliance with regulatory requirements and industry standards.
In addition to our scheduled meetings, the Audit Committee, ITSC and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, attempting to ensure the Board’s oversight is proactive and responsive. The Audit Committee provides the guidance that attempts to ensure cybersecurity considerations are integrated into the broader operating environment. The Audit Committee conducts an annual review of the company’s cybersecurity position and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and attempting to ensure the alignment of cybersecurity efforts with the overall risk management framework.
Risk Management Personnel
Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with the ITSC. This committee consists of the Chief Technology Officer ("CTO"), IT Systems Administrator, Chief Investment Officer, VP of Finance, Treasurer and Controller and the CFO. Our CTO has over a twenty years of experience with cybersecurity, and our IT Systems Administrator has cybersecurity experience and certifications. All ACM employees are required to complete monthly cybersecurity trainings. Our ITSC oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our cybersecurity training procedures.
Monitoring
The ITSC is informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques by our CTO. Information technology subscriptions and cybersecurity updates are reviewed regularly by our CTO and continuing education in the cybersecurity field is ongoing. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The ITSC implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the ITSC is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting
The ITSC regularly informs the CEO of all known aspects related to cybersecurity risks and incidents. This attempts to ensure that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing ARMOUR. Furthermore, significant cybersecurity matters are escalated to the Board, so that the Board can provide guidance on critical cybersecurity issues.
Image2.jpg



ARMOUR Residential REIT, Inc.

39