Open Lending Corp - (LPRO)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We identify and assess cybersecurity risk in connection with our enterprise risk management (“ERM”) process, which is directly tied to our management’s strategic planning process.
We have implemented a variety of measures to assess, identify and manage material risks from cybersecurity threats. These measures include automated source code testing to help align our security infrastructure with
29


application security best practices, and automated scanning and alerts to assess compliance against established security baselines. Our cybersecurity risk management process also includes defined timeframes for addressing vulnerabilities or other gaps identified by our automated detection and scanning tools. We also perform an annual evaluation of our alignment with the U.S. Commerce Department’s National Institute of Standards and Technology framework. In addition, our Information Security team, which reports directly to our Chief Information Officer (“CIO”), performs regular internal vulnerability scans across our information technology systems, and we use an independent third-party service provider for the completion of bi-annual penetration testing to maintain our SOC II compliance.
Our employees are a key element of our cybersecurity and data privacy defenses. We administer mandatory and regular awareness programs for employees on cybersecurity. We require all new employees to complete security awareness training upon hire, and existing employees must complete security awareness training annually thereafter. We also conduct internal incident response tests, phishing test campaigns and other security-enhancing exercises throughout the year. In addition, we established measures to help mitigate the risk of exposure of personally identifiable information (“PII”). We have also implemented phishing protection and data loss prevention tools designed to enhance our cybersecurity throughout our information technology systems.
As part of our cybersecurity risk management processes, we regularly engage third-party service providers to assess our internal cybersecurity programs and compliance with applicable practices and standards.
Our cybersecurity risk management processes include assessing third-party risks and we regularly perform third-party risk assessments to help us identify and mitigate risks arising from our use of or partnership with third parties, such as vendors, suppliers, and other business partners. Third-party cybersecurity risks are also evaluated as part of our initial due diligence assessments upon engaging third-party providers, inclusive of potential fourth-party risks related to the handling and processing of employee, business, or customer data. In addition to due diligence procedures conducted during onboarding of new third-party providers, we perform annual risk assessments of key third-party providers, along with real-time assessments in accordance with our Incident Response Plan and procedures, as needed, to help us determine any potential impact to the Company from third-party cybersecurity incidents that come to our attention.
Our business necessitates the collection and storage of consumers’ PII. As such, cybersecurity and data privacy are a top concern for us. As a preventative measure, we have implemented certain policies and procedures that guide our day-to-day operations in these areas.
To date, the Company is not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business, business strategy, results of operations or financial condition. For additional information, see “Item 1A—Risk Factors—Risks Related to Our Business—Cyber-attacks and other security breaches could have an adverse effect on our business” and “Item 1A—Risk Factors—Risks Related to Our Business—Disruptions in the operation of our computer systems and third-party data centers could have an adverse effect on our business.”
Cybersecurity Governance
Cybersecurity is an area of focus for our Board of Directors and our management. The Audit Committee of our Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats and is informed about cybersecurity risks through presentations from our CIO and our Chief Technology Officer (“CTO”), and other members of our management responsible for day-to-day management and mitigation of cybersecurity risks, as well as through its direct participation in our ERM process, which holistically addresses risks faced by us, including cybersecurity risk.
Our cybersecurity risk management processes are led by members of our management team, including our CIO and our CTO, who hold degrees in Management Information Systems and Computer Science, respectively, along with an average of 21 years of prior work experience in various roles involving information technology, including cybersecurity, compliance, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategic processes described above, including the operation of our Incident Response Plan. The CIO and CTO report and provide updates to the Audit Committee on risks from cybersecurity threats quarterly or as needed.
30