Finance of America Companies Inc. - (FOA)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Our Company maintains a comprehensive information technology security program based on the National Institute of Standards (NIST) Cyber Security Framework. The information technology security program aims to protect our Company from cybersecurity threats and ensure the confidentiality, integrity and availability of our data and systems. To provide such protection, our program implements a significant number of controls, including but not limited to physical and digital access controls, data protection controls, system development controls, acceptable use controls and monitoring controls. We deploy technical and administrative safeguards, such as firewalls, intrusion prevention and detection systems, anti-malware functionality and security awareness and phishing prevention training programs, which are regularly evaluated and improved. Further, in the event of a cybersecurity incident, our Company has a Cybersecurity Incident Response Team (the “CSIRT”), consisting of stakeholders from across the Company, to respond appropriately. The CSIRT provides a proactive approach to managing cybersecurity incidents and ensures incidents are controlled as quickly as possible to avoid and minimize the damage to systems, limit impact to client information, protect the Company’s reputation and integrity and prevent future incidents. The Company also has a data incident response plan in place that outlines expected actions in the event of a data security incident. The Company prioritizes protecting and informing customers, clients and employees in the event of a data security incident, as is appropriate.

The Company leverages both internal resources and third-party suppliers as needed for technology assets, systems and development to support its information technology security program. The Company uses third-party rather than internal resources when the Company determines that using a third-party better meets the needs of the business. Before contracting with a third-party supplier, the Company determines if the vended resource is compliant with Company policies. Formal approval for a third-party supplier is obtained through the appropriate Company processes according to the type of resource provided by the third-party supplier.

Third-party vendors can present cybersecurity risks to the Company’s technology resources. The Company has a vendor management team that provides oversight of third-party vendors and engages with the enterprise security team to assess potential cybersecurity risks related to a third-party vendor’s services, both at the time of initial engagement and as part of an annual review process. The enterprise security team considers a number of factors in assessing such risks, including the types of services provided by the third-party vendor, the data and systems the third-party vendor needs to access to provide the services and the policies and controls the third-party vendor has in place to mitigate cybersecurity risks. Some third-party vendors present a higher risk and require additional approval before a contract is signed or renewed. This ensures leadership is aware of risks posed by third-party vendors and can consider this information when evaluating contracts.

The Company has processes in place to assess the effectiveness of its information technology security program. The Company applies cybersecurity assessment tools that analyze the Company’s ability to identify, protect from, detect, respond to and recover from cybersecurity threats and that analyze the various controls put into place by the Company’s information security program. The Company also conducts an annual cybersecurity assessment to identify risks and issues and may conduct more frequent assessments as required by a material change to the Company’s cybersecurity risk. Further, the Company engages third parties to conduct penetration tests to assess the performance of the information technology security program. The results of these assessments and tests are reviewed by the Company’s enterprise security team and senior management and are used to identify areas of vulnerability, which the Company then works to address.

To date, risks from cybersecurity threats have not materially affected our Company or our business strategy, results of operations or financial condition. However, if we were the subject of a significant cyber-attack or security breach in the future, it could materially affect our Company, as discussed in further detail under “Item 1A. Risk Factors— Risks Related to the Business of the CompanyA security breach or a cyber-attack could adversely affect our results of operations and financial condition.”

57


Cybersecurity Governance

Board of Directors Oversight

The Board of Directors oversees the risks to the Company from cybersecurity threats by periodically reviewing information technology security reports from management, including our Chief Information Security Officer (“CISO”), as well as reports from the Audit Committee of the Board of Directors. These reports also include, as applicable, an overview of any cybersecurity incidents. The Audit Committee provides assistance to the Board of Directors with respect to its oversight of the Company’s technology security and data privacy programs. The Audit Committee is responsible for reviewing the Company’s information technology security controls with the CISO and evaluating the adequacy of the Company’s information technology security program, compliance and controls with the CISO, which evaluation would include a consideration of any applicable cybersecurity incidents.

Management Oversight

We have a dedicated enterprise security team responsible for assessing and managing our material risks from cybersecurity threats. Our enterprise security team is led by our CISO, Drew Robertson, who has extensive experience in cybersecurity. In addition to acting as our CISO, Mr. Robertson currently advises several companies in the Cyber Security Industry and is active in a number of information security communities and groups. Prior to his appointment as CISO in October 2021, he served as our Deputy CISO. Before joining the Company, Mr. Robertson worked for the National Security Agency and the United States Army, where he held various leadership positions in computer network defense, computer network exploitation and intelligence oversight. Mr. Robertson holds a BA in Organizational Management, an MS in Cybersecurity Policy and an MBA.

Our enterprise security team works closely with our senior management, information technology, legal and compliance teams to develop, implement, assess and improve our information technology security program, compliance and controls, as described in more detail above under “—Cybersecurity Risk Management and Strategy.” By engaging in the development, implementation, assessment and improvement of our information technology security program, compliance and controls, the enterprise security team is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. As described in more detail above under “—Board of Directors Oversight,” our CISO reports to the Board of Directors regarding cybersecurity risks and cybersecurity incidents and also works with the Audit Committee to evaluate the program, compliance and controls in place to address cybersecurity risks and cybersecurity incidents.