CHIMERA INVESTMENT CORP - (CIM)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have a risk management process and strategy in place for assessing, identifying, and managing material risks from cybersecurity threats. Our cybersecurity risk management framework is closely aligned with the National Institute of Standards and Technology (“NIST”)’s Cybersecurity Framework (“CSF”) and is incorporated into our enterprise risk management process, information systems, vendor engagement process and employee training programs. We focus on people, processes and technology to build a defensive posture against cybersecurity threats that minimizes disruption to our business while maximizing the security and resiliency of the organization.

We focus on people because we believe that one of the first lines of defense is our employees. All new employees are required to complete cybersecurity training. In addition, we provide quarterly cybersecurity training to existing employees, conduct simulated phishing tests, and perform security awareness proficiency assessments to create more effective and targeted training campaigns to strengthen the human firewall. Our employees are required to annually re-affirm adherence to company-wide IT and related policies designed to secure a safe information and communications systems environment. As part of our cybersecurity risk management process, we also conduct third-party led tabletop exercises to practice and prepare to respond to a confirmed or suspected security incident and to highlight any areas for potential improvement.

We focus on process, which includes policies, procedures and governance structures designed to help us identify, assess and response to cybersecurity risks. We have a written cybersecurity framework that closely aligns with NIST’s CSF. In addition, we maintain a cyber incident response plan to facilitate our response to cybersecurity incidents and formed an Incident Response Team composed of the Chief Information Security Officer, the Chief Legal Officer, the Chief Operating Officer, the Chief Risk Officer, the Head of Investor Relations, and the Associate General Counsel. The foregoing officers also include within their working teams, non-management employees who are best positioned to identify, assess, respond to and galvanize both internal and third-party resources necessary in the event of a cybersecurity incident. We test the resiliency of our systems through penetration and disaster recovery tests to continually improve our business continuity plan against an ever-changing threat landscape, create redundancies where appropriate for the protection of the Company’s assets, have engaged a security operations center to provide 24/7 monitoring of our environment to detect and respond to suspicious activities in the network, and have cybersecurity insurance. We periodically perform an independent third-party cybersecurity maturity assessment of our systems, policies and procedures focused on the NIST’s CSF and the SEC's Office of Compliance Inspections and Examinations cybersecurity guidance.

We have also implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers, including requiring key service providers to provide evidence that their systems meet appropriate cybersecurity requirements (collaborating with service providers to help assess the sufficiency of their cybersecurity measures, and requiring service providers to notify us promptly of cyber incidents that may affect our systems or data) .

Lastly, we use technology to minimize our exposure to cybersecurity vulnerabilities, implementing software patches in a timely manner and using other technology to promote a safe information and communications systems environment. We avail ourselves of third-party technologies and tools, including tools provided by the Cybersecurity and Infrastructure Security Agency (CISA), other government agencies and third-party cybersecurity experts.

To date, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected us, or, to our knowledge are reasonably likely to materially affect us including our business strategy, results of operations or financial condition.

Governance

Our Board, in coordination with the Audit Committee and the Risk Committee, oversees management of cybersecurity risk. They receive regular reports from senior management and our Chief Information Security Office (“CISO”) on, among other things, the threat landscape, the Company’s cybersecurity program, infrastructure improvements, cybersecurity incident investigations and information security vulnerabilities. The Audit Committee focuses on cybersecurity risk, particularly as it relates to enterprise risk management within the audit and financial reporting process, while the Risk Committee focuses on cybersecurity risk within the Company’s overall business risk profile. Refer to Item 7A, "Quantitative or Qualitative Disclosures about Market Risk - Risk Management" included in this 2023 Form 10-K for additional information on our enterprise risk management.

The Company’s CISO has a Bachelor of Engineering degree in information technology and more than 25 years of experience in the information technology space, including extensive experience leading our internal IT infrastructure and cybersecurity team. The CISO receives regular updates on cybersecurity matters from his internal IT infrastructure and cybersecurity team as well
37


as outside vendors and advisors that we have engaged. Employees outside of the IT infrastructure and cybersecurity team have also been instructed to elevate any potential cybersecurity issues, whether internal or at a third-party with whom we do business, to the CISO.

The Incident Response Team and the non-management employees who support the Incident Response Team are best positioned to identify, assess, respond to and galvanize both internal and third-party resources in the event of a cybersecurity incident. In the event of a potentially material cybersecurity event, all members of the Incident Response Team are notified and a preliminary assessment of the situation is made. Designated individuals within the Incident Response Team will notify the Chief Executive Officer, and if the situation so warrants, the Board of Directors, cybersecurity experts, outside counsel and other advisors to help further assess and formulate an appropriate response to the situation. A strong working relationship exists between the legal, accounting/finance, IT and business departments so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.