CONSUMER PORTFOLIO SERVICES, INC. - (CPSS)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

Our information security policies and processes are designed to assess, identify, and manage material risks from cybersecurity threats, including protecting the security and confidentiality of consumer information. We use various tools and strategies to identify and assess material risks from cybersecurity threats. We conduct ongoing cybersecurity gap analysis and risks assessments, vulnerability testing, and penetration testing. The cybersecurity risk assessments, vulnerability testing, and penetration testing are designed to identify internal and external risks to the security of our information systems.

 

We also actively monitor our systems and connections for abnormal activity, including malicious phishing attempts. This includes the use of intrusion detection systems, log analysis, and real-time monitoring of critical systems. We have an incident reporting portal available to all employees to submit any issues they suspect may pose a risk to our information technology (“IT”) systems and security.

 

We use the results of the above-described tools and strategies to assess the sufficiency of the safeguards in place to manage material risks from cybersecurity threats, to enhance such safeguards, or implement new safeguards, as necessary. We have several safeguards in place to manage material risks from cybersecurity threats. We have security awareness training for our employees, including ongoing simulated phishing email campaigns. We utilize firewalls, anti-virus software, encryption on stored data and communication channels, secure web portals for remote access to our systems, password security, and two-factor authentication. We continuously update our software and security patches. We restrict inbound email attachments, certain websites, and cloud-based drives. We monitor and restrict information transfers to and from unauthorized IP addresses. We also have physical security safeguards for our locations and data centers. We back up our systems and data regularly. In addition, we have a disaster recovery program designed to help us quickly respond to and recover from an interruption of critical IT services.

 

As part of our overall risk management processes, we engage in a multi-departmental strategy to assess and incorporate the above processes and involve other departments as needed, including IT, Systems, Risk Management, and Legal. We engage assessors, consultants, auditors, or other third parties to assist with some of the processes above, including conducting risk and gap assessments, IT audits and consulting, system monitoring, vulnerability testing, and penetration testing. To oversee and identify material cybersecurity risks associated with our use of third-party service providers, we limit data access for third-party service providers to only the data that is necessary for the given function and conduct due diligence on our service providers including their information security practices. We require our service providers to maintain appropriate safeguards for the security of consumer information.

 

We cannot assure that our information security policies and processes will be effective in protecting us from cybersecurity threats. Risks from cybersecurity threats have not materially affected us. However, if we experience a material cybersecurity incident it is reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For more information, please see Item 1A. Risk Factors of this Report, including the risk factors titled “If We Experience Problems with Our Originations, Accounting or Collection Systems, Our Results of Operations May Be Impaired” and “A Breach in the Security of Our Systems Could Result in the Disclosure of Confidential Information, or Subject us to Liability.”

 

Governance

 

The Senior Vice President of Systems and the Vice President of IT are responsible for assessing and managing material risks from cybersecurity threats through the implementation of the Company’s information security policies and processes. The Senior Vice President of Systems has over 20 years in IT and cybersecurity experience with the Company. The Vice of President IT has over 15 years in IT and cybersecurity experience with the Company and has earned industry certifications in IT. The Senior Vice President of Systems and the Vice President of IT report to the Executive Vice President of Risk, Systems, and IT.

 

 

 

 30 

 

 

The Senior Vice President of Systems and the Vice President of IT work directly with the internal and external IT personnel to implement our information security policies and processes, including those described in the “Risk Management and Strategy” above. They are informed about and monitor the prevention, detection, mitigation, and remediation or prevention of cybersecurity incidents through those processes. They regularly report on the status of these matters to the Executive Vice President of Risk, Systems, and IT.

 

The Board, as a whole, is responsible for risk oversight, including cybersecurity risk. As part of this oversight, the Executive Vice President of Risk, Systems, and IT reports to the Board annually on the status of and developments in the Company’s information security policies and processes.