loanDepot, Inc. - (LDI)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

In the ordinary course of our business, we receive, process, retain, transmit and store proprietary information and sensitive or confidential data, including certain public and nonpublic personal information concerning employees and borrowers. In addition, we enter into relationships with third-party vendors to assist with various aspects of our business, some of which require the exchange of personal employee or borrower information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems, including those pertaining to third-party service providers, that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by dedicated information security teams, including technology risk, cybersecurity operations, cybersecurity engineering, and identity and access management, led by our Chief Information Security Officer (“CISO”). These teams collectively manage and monitor mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, access, or other security incidents or vulnerabilities affecting our data, digital assets and systems in furtherance of maintaining a secure information technology environment.

For example, we conduct penetration and vulnerability testing, data recovery testing, security audits, and ongoing risk assessments, including due diligence on and audits of our key technology vendors, CROs, and other contractors and suppliers. We also conduct regular employee training on cyber and information security topics, phishing and simulations. In addition, we consult with outside advisors and experts, when appropriate, on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. We also utilize a third party for cybersecurity incident monitoring and response.
50



Our CISO, who reports to the Chief Information Officer and has over twenty years of experience managing information technology and cybersecurity matters, together with our senior leadership team, is responsible for assessing and managing cybersecurity risks. The CISO receives regular reports prepared by experienced information security officers on cybersecurity threats, based on data from the Information Security Department and, in conjunction with management, regularly reviews risk management measures implemented by the Company to help identify and mitigate data protection and cybersecurity risks. Certain risk topics, such as cybersecurity and compliance, are discussed at Enterprise Risk Management Committee (consisting of executive management) meetings, and are included in reports to the Board and Audit Committee.

We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management program. While we have identified risks from cybersecurity threats, such risks have not materially affected us, including our business strategy, results of operations or financial condition, with the exception of the Cybersecurity Incident, as disclosed in a Current Report filed by the Company on Form 8-K on January 8, 2024, as amended on January 22, 2024 and February 27, 2024, which the Company believes will have a material impact on the Company’s first quarter 2024 results. As previously disclosed, among other things, the Company expects to record in the first quarter of 2024 approximately $12 to $17 million of expenses related to the Cybersecurity Incident, net of expected insurance recovery. In addition, the Company has been named as a defendant in several lawsuits related to this Cybersecurity Incident, which are seeking various remedies, including monetary and injunctive relief. While we cannot presently quantify the full scope of expenses and other related impacts associated with this Cybersecurity Incident, including costs associated with any related current or future litigation or regulatory inquiries or investigations, the Company currently does not expect that the cybersecurity incident will have a material effect on its overall financial condition or on its ongoing results of operations. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Cyberattacks, information or security breaches and technology disruptions or failures, including failure of internal operational or security systems or infrastructure, or other cybersecurity incidents of ours or of our third-party vendors, could damage our business operations and increase our costs, which could adversely affect our business, financial condition and results of operations.”

The Board of Directors, as a whole and at the committee level, oversees our enterprise risk management program, the most significant risks facing us and our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives quarterly or as needed updates on cybersecurity and information technology matters and related risk exposures from our CISO and Chief Information Officer. The Board also receives regular updates from our CISO and Chief Information Officer on cybersecurity risks. In addition, we have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Audit Committee and the Board of Directors.