BIMINI CAPITAL MANAGEMENT, INC. - (BMNM)
10-K Filing Date: March 08, 2024
The Board plays an active role in overseeing management of our risks, and cybersecurity represents an important component of the Company’s overall approach to risk management and oversight. Our cybersecurity processes and practices are integrated into the Company’s risk management and oversight program. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. The Company has adopted a cybersecurity incident response plan to enable rapid response, curtail further security breaches, mitigate and manage costs, and facilitate timely disclosure of material cyber incidents as required by the SEC.
Risk Management and Strategy
The Company and our Board place a high priority on maintaining security over our financial information that can be accessed via the Internet and mitigating information security risks. The Company engages a third-party security firm to provide threat detection and reports, conduct annual testing of our systems, train our employees and generally advise on cybersecurity processes. At least annually, our information technology team make a formal presentation to our Audit Committee and the Board to keep them apprised of the level of cybersecurity that exists to protect our financial information, training of the Company’s officers and employees, and the latest threats that have emerged, including a presentation from the third-party security firm.
The Company’s cybersecurity program is focused on the following key areas:
● | Governance: As discussed in more detail under “Item 1C. Cybersecurity—Governance,” the Audit Committee and the Board oversee cybersecurity risk management by regularly interacting with the Company’s management team, our information technology team and a third-party security firm.
|
● | Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
|
● | Technical Safeguards: The Company deploys technical safeguards that are designed to protect information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, redundant data storage and retention methods, anti-malware functionality and access controls, which are evaluated and improved through vulnerability and exposure assessments and cybersecurity threat intelligence. With the help of our third-party security firm, the Company has implemented several layers of physical security, digital security and data backup.
|
● | Incident Response and Recovery Planning: The Company has established a comprehensive incident response and recovery plan that addresses the response to a cybersecurity incident and plans to test and evaluate that plan on a regular basis.
|
● | Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including counterparties, service providers or other external users of our systems, as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems.
|
● | Education and Awareness: A third-party security firm provides training to our employees, helping our information technology team to maintain a state-of-the-art cybersecurity system and staying up to date on the latest threats and counter measures available. The third-party security firm places a high priority on employee threat education through automated internal phishing tests. Our information technology team attends continuing education seminars and receives timely alerts to any new viruses or cyber threats as they occur as a means to equip personnel with effective tools to address cybersecurity threats, and to communicate evolving information security policies, standards, processes and practices. |
Governance
The Company believes oversight of cybersecurity risk is the responsibility of the Audit Committee and the full Board. Accordingly, the Audit Committee and the Board oversee the Company’s cybersecurity risk management process. The Board considers the Company’s cybersecurity posture and risk exposure with management taking into consideration the Company’s operations and the types of data retained on its systems as part of its and the Audit Committee’s periodic review of the Company’s risk management. The Company’s primary business involves investments in Agency MBS, which are securities backed primarily by single-family residential mortgage loans. The Company does not receive personal information on individual mortgage borrowers. The Board reviews the Company’s cybersecurity program and risk exposure with management on at least an annual basis and receives periodic reports from management, the information technology team, and the Company’s third-party security firm on these matters from time to time. The Board may also conduct additional cybersecurity reviews or receive additional updates or reports as it deems necessary. Messrs. Cauley and Haas work collaboratively to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plan. These members of the Company’s management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Board when appropriate. Messrs. Cauley and Haas each hold undergraduate and graduate degrees in their respective fields, and each have approximately 20 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. The Company is not aware of any material security breach to date. Accordingly, the Company has not incurred any expenses over the last three years on information security breaches. However, the Company faces certain ongoing risks from cybersecurity that, if realized, could materially affect the Company. See “Item 1A. Risk Factors - The occurrence of cyber-incidents, or a deficiency in our cybersecurity or in those of any of our third party service providers could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information or damage to our business relationships or reputation, all of which could negatively impact our business and results of operations.” There can be no assurance that the Company's cybersecurity risk management program and processes, including its policies, controls or procedures, will be fully implemented, complied with or effective in protecting its systems and information.