Ellington Residential Mortgage REIT - (EARN)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
As discussed further in "Item 1. Business—Our Manager and Ellington," we are externally managed and advised by our Manager, an affiliate of Ellington. Our Manager does not have any employees and instead relies on the employees of Ellington to fulfill its obligations to us pursuant to a services agreement. We rely on Ellington's information systems in conducting our day-to-day operations. As such, we also rely on Ellington's processes for assessing, identifying, and managing material risks from cybersecurity threats.
Ellington's cybersecurity processes and practices are integrated into Ellington's risk management and oversight program. In general, Ellington seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Ellington collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur.
Ellington's Risk Management and Strategy
Ellington's cybersecurity program is focused on the following key areas:
•Governance: As discussed in more detail below under "Governance," our Board of Trustees' oversight of cybersecurity risk management is supported by the Audit Committee of our Board of Trustees (the “Audit Committee”), which regularly interacts with our management team and other professionals who are responsible for assessing and managing material risks from cybersecurity threats at Ellington.
•Collaborative Approach: Ellington has implemented a cross-functional approach to identifying and evaluating, preventing, mitigating and remediating cybersecurity threats and incidents, while also implementing controls and
54
procedures that provide for the prompt escalation of certain cybersecurity incidents. Such escalation allows Ellington to make timely decisions regarding its response to such incidents and whether disclosure to senior management, our Audit Committee and/or the public is appropriate.
•Technical Safeguards: Ellington deploys technical safeguards that are designed to protect information systems from cybersecurity threats. These systems cover many facets of cyber security including identity protection, anti-virus and anti-malware defense, data loss prevention, endpoint protection (including managed detection and response services), patch and vulnerability management and others. Ellington regularly evaluates new technologies as the cyber security landscape evolves.
•Incident Response and Recovery Planning: Ellington has established and maintains incident response and recovery plans that we believe properly address the response to a cybersecurity incident or other business disruption. To the extent feasible, such plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: Ellington follows a risk-based approach to identifying and overseeing cybersecurity risks presented by third-parties, including vendors, service providers and other external users of Ellington’s systems, as well as the systems of third-parties that could adversely impact Ellington’s business in the event of a cybersecurity incident affecting their systems. Third-party service providers are regularly evaluated by Ellington to assess their cyber security posture and general information technology practices to determine if they are suitable partners; where applicable, relevant certifications are obtained such as SOC 2 or ISO 27001.
•Education and Awareness: Ellington: (i) provides regular, mandatory cyber security training to all personnel to equip them with tools to identify and address cybersecurity threats; (ii) communicates evolving information security policies, standards, processes and practices to employees via email; (iii) delivers additional training to all users who have access to personally identifiable information on Ellington’s processes for handling such information; and (iv) conducts regular, monthly phishing tests to assess user alertness, and retains a separate external cybersecurity vendor to conduct similar tests on an annual basis.
Ellington's technology team assesses the firm’s cybersecurity and infrastructure postures regularly with two separate working groups—one group, meeting weekly, focused on IT implementation and one group, meeting bi-weekly, focused on engineering integration. Both groups include senior members of the technology team. These meetings cover a broad range of topics including implementation planning for the deployment of new hardware and software, patch and vulnerability management, considerations for disaster recovery and business continuity, user access controls, data security and more. In such continued monitoring of its cybersecurity posture, Ellington conducts continuous depreciation of obsolete or unsuitable technology, including legacy hardware and software, has a robust patch and vulnerability management process, and has personnel dedicated to the continued monitoring of new developments in threat actors’ activities in order to take preventative actions.
Ellington also regularly engages third parties to perform assessments of Ellington’s cybersecurity posture, including penetration testing, user access control reviews and independent reviews of Ellington’s information security control environment, and operating effectiveness. The results of such assessments, tests and reviews are reported to the Audit Committee and our Board of Trustees, and Ellington adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, tests and reviews, including the implementation of new software and technologies.
To date, no risks from cybersecurity threats to Ellington have materially affected or are reasonably likely to materially affect the Company. While Ellington did experience two business email compromise incidents in recent years, neither had a material impact on our business strategy, results of operations or financial condition.
Governance
Our Board of Trustees, through the Audit Committee, oversees our cybersecurity risk management process. Our Audit Committee receives regular presentations and reports on cybersecurity risks at Ellington, each of which addresses a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties.
Ellington employs internal or external resources whose responsibilities include oversight of their respective firm’s cybersecurity posture.
55
Ellington's cybersecurity team is lead by Ellington's outsourced Chief Technology Officer (the "CTO"), who is primarily responsible for assessing and managing material risks from cybersecurity threats to Ellington. The CTO has extensive experience in application development, database architecture, systems design, and third-party software integration. During his tenure at Ellington, the CTO has lead large technical efforts such as the development of Ellington’s proprietary whole loan management system and the overhaul of Ellington’s engineering infrastructure and development services. The CTO works closely with Ellington’s head of Data Platform and Infrastructure (the "DPI Head") to manage Ellington’s infrastructure and cybersecurity posture. During his tenure at Ellington, the DPI Head has lead several critical efforts such as the revitalization of Ellington’s hardware, networking and disaster recovery facilities, major improvements to Ellington’s cybersecurity infrastructure, and the development and maintenance of Ellington’s Data Engineering infrastructure. Ellington’s Senior Systems Administrator (the "SSA") works closely with both the CTO and the DPI Head to implement Ellington’s cybersecurity program and infrastructure. The SSA is responsible for all systems and telecommunication design and implementation, with a focus on cybersecurity. The SSA ensures that Ellington's systems are secure and resilient against cyber threats. Prior to joining Ellington in 1997, the SSA was a Senior PC Technical Support at Bear Stearns for seven years. The CTO, after consultation with others, including the DPI Head and the SSA, regularly provides an assessment of Ellington’s cybersecurity posture and reviews Ellington’s information technology roadmap with the Audit Committee. The CTO's reports cover a range of topics including, at various times, a discussion of the primary cybersecurity risks facing Ellington, an overview of Ellington’s cybersecurity program, common attack vectors and types, the primary functions of Ellington’s cybersecurity program, how Ellington’s cybersecurity programs are applied to critical cybersecurity areas, any recent cybersecurity incidents, Ellington’s ongoing focus areas in its cybersecurity program, Ellington’s employee education program, management of patches and system vulnerabilities, various threat detection methods, malicious activity monitoring, any new cybersecurity focus areas for Ellington, a review of Ellington’s key technologies, Ellington’s incident response procedures and Ellington’s backup systems and redundancy and disaster recovery processes.