Ready Capital Corp - (RC)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

We recognize the importance of implementing and maintaining robust cybersecurity measures designed to safeguard the confidentiality, integrity and availability of our data and systems. We seek to prevent or reduce risks by providing a prompt, effective, and skillful response to cybersecurity threats. As a critical component of our overall risk management process, we have adopted a framework that shares existing methodologies, reporting channels and governance processes to identify, assess, manage and report cybersecurity threats on an ongoing basis. This risk management process is led by our Incident Response Team (“IRT”), which is comprised of the Company’s Chief Technical Officer, Chief Financial Officer, Chief Executive Officer and Chief Investment Officer, General Counsel, and Head of Infrastructure, who is responsible for assessing and managing cybersecurity risks, subject to the oversight of our Board. In particular, our Head of Infrastructure is an experienced information technology professional with over 20 years of experience in the industry, including oversight of our cybersecurity department. Certain members of the IRT report to our Board on a quarterly basis regarding the external threat environment, steps taken by us to address and mitigate cybersecurity risks as well as updates on our readiness to prevent, detect, respond and recover from a potential cybersecurity incident (“Incident”).

In the event of an Incident, the IRT is authorized to take the appropriate steps deemed necessary to identify, assess, contain, mitigate, and resolve the Incident including by (a) maintaining (i) the Company’s Incident Response Plan in the event of an Incident, (ii) the Company’s Written Information Security Policy which governs information technology security policies, and (iii) the Company’s Business Continuity Plan designed to keep all major business systems in operation in the event of an Incident or other disaster (b) regularly monitoring all Company systems and user accounts for any suspected Incidents (c) performing quarterly audits on all Company systems and user accounts (d) and general cybersecurity awareness and data protection training for our employees. In addition, depending on the circumstances of an Incident, we may engage third parties such as insurance carriers, outside legal counsel, forensic investigators, crisis communications or public relations firms, investor relations firms and response vendors and we may coordinate with regulators or law enforcement. We also assess third party risks when determining the selection and oversight of applicable third-party service providers.

Increased cybersecurity risk due to the diversification of our data across external service providers and cyber Incidents may adversely affect our business by causing a disruption to our operations, compromise our confidential information and/or damage to our business relationships, all of which could negatively impact our financial results. As of the date of this Form 10-K, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our financial position, results of operations and/or business strategy. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or Incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an Incident in the future where we may be unable to implement effective preventative measures in a timely manner.

Further discussion of the potential impacts on our business from cyber intrusions is provided in “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.