Guild Holdings Co - (GHLD)
10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We manage cybersecurity risk through our enterprise-wide risk framework as described below.
Within our enterprise-wide risk framework, we maintain programs that assess, identify, and manage information technology (IT) risk generally and material risks from cybersecurity threats specifically. Our cybersecurity risk program is designed by our IT governance team in collaboration with our risk committee and executive officers to ensure that risks from cybersecurity threats are identified, multiple layers of protection are operating effectively, detection and response to cyber security threats are in place, and recovery of core business processes and systems is documented and tested. Our cybersecurity risk program follows the National Institute of Standards and Technology Cyber Security Framework (NIST CSF). We also use third-party service providers to help enhance our cybersecurity capabilities and to assist us with cybersecurity program assessments and penetration testing, including providing the function of a Chief Information Security Officer.
27
Specific features of our cybersecurity risk program include (1) periodic assessment of risks arising from cybersecurity threats, including a NIST CSF risk assessment, application risk assessment, and a business continuity and disaster recovery impact assessment; (2) initiatives relating to the design, operation and monitoring of the IT risk management program and the cybersecurity risk program; (3) creation and maintenance of redundancies for core business systems such as Guild’s originations and servicing systems; (4) training for all personnel on aspects of cybersecurity threats, cybersecurity awareness campaigns company wide, and additional training for certain other employee groups; (5) an incident response plan that outlines the steps we will take to respond to a cybersecurity incident; and(6) periodic cybersecurity exercises and internal cybersecurity incident simulations.
While the majority of our technology used throughout our company is proprietary, we use third parties to provide IT applications or IT infrastructure that maintain or support our operations. For certain third parties, we have processes to oversee and identify risk from cybersecurity threats through our contract management process.
Material Effects from Cybersecurity Incidents
We have dedicated significant resources toward our efforts to protect our business from the risk of cybersecurity threats. Cybersecurity risk management, data security, privacy, and cyber supply chain risk management activities are integrated into our operations and inform our business strategy.
Although to date we have not experienced any cybersecurity incidents resulting, or reasonably likely to result in, a material impact to our company, including to our business, financial condition, and results of operations, there is no assurance that our cybersecurity risk management program will prevent cybersecurity incidents from having such impacts in the future.
Cybersecurity Governance
Role of Our Board and Audit Committee
Our Board of Directors and Audit Committee oversee our risk management program which includes cybersecurity risk along with other operational and compliance risks. Information provided covers various aspects of our cyber defense including incident analysis and third party reports. We have a process in place so that information regarding potentially material cybersecurity incidents is escalated to the Audit Committee and Board of Directors.
Role of Our Management
The company is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to assess, identify, prevent, manage, detect, respond to, and mitigate potential cybersecurity threats as described above.
Our Chief Information Officer leads our information security department, which is primarily responsible for implementing and maintaining our cybersecurity risk management program. The Chief Information Officer has over 30 years of experience in information technology in the mortgage origination and servicing industry, including prior service as the CIO for other mortgage institutions. The cybersecurity risk management program includes teams focused on information security, IT governance and IT operations. The information security program is also supported by personnel in legal and compliance, and application development. Guild personnel that work on cybersecurity risk management have achieved such professional certifications as Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP).
The Chief Information Officer also is a member of our risk committee. The risk committee oversees on an enterprise-wide basis Guild’s risk management framework, including cybersecurity risk. The IT security and IT governance teams report regularly to the risk committee on KRIs that track Guild’s monitoring of key cybersecurity risks and remediation initiatives. The other members of the risk committee include the Chief Executive Officer, President and Chief Operating Officer, Chief Financial Officer and Chief Compliance Officer.