Mr. Cooper Group Inc. - (COOP)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Cyber Risk Management and Strategy

Our cyber risk management and strategy has been incorporated into our compliance and risk management program across a number of verticals. For example, information security risk assessments are performed across our business processes, including, but not limited to, third-party services, vendors and systems that process sensitive data. We undergo external annual penetration assessments to evaluate susceptibility to attack, for example, through social engineering, application websites and system/network vulnerabilities. We aim to continuously evolve our information security program in response to the ever-changing landscape of best practices, industry-specific risks, company-specific risks, and potential threats. This evolution is also driven by validation tests in an effort to ensure our program remains robust and effective. In the wake of the October 2023 cybersecurity incident, we prioritized implementation of enhanced safeguards consistent with our incident response process and further fortifying our commitment to information security.

We also have a process to evaluate third-party providers, which is designed to understand the potential risks and impact of threats to our supply chains as well as potential privacy risks associated with external data management. This process has multiple components and is designed to assess our providers performance across several domains, including data security, asset management, communications and operations management, access control, business continuity management, financial, and legal compliance.

Considering the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors, in evaluating and testing our risk management systems. These engagements allow us to leverage specialized knowledge and insights, including leading industry practices, to better inform our cybersecurity strategies and processes. Our collaboration with these third parties includes audits, threat assessments, and consultations to enhance our security measures.

In addition, we undergo several compliance audits annually, which include a SOX compliance audit, and a SOC1 audit. Our approach to managing compliance-related risks includes maintaining a data loss prevention program, centralized compliance management, an identity management platform, ongoing Managed Security monitoring, threat and vulnerability monitoring, and information security risk insurance.

Governance Related to Cybersecurity Risks

The full Board of Directors conducts several reviews throughout the year in an effort to ensure that our cyber strategy and risk management is appropriate and prudent. It is the responsibility of the Board of Directors to understand and oversee our strategic plans, the associated risks, and the steps that our senior management team is taking to manage and mitigate those risks. Principle responsibility in this domain is shared by our Chief Risk and Compliance Officer, who has approximately 20 years of leadership experience in the financial services sector with an extensive background in the mortgage industry, and our Chief Information Officer who has approximately 20 years of experience leading technology and product engineering functions.

Our Enterprise Risk Committee reviews and discusses cybersecurity, information security and data privacy risks at regular intervals. A quarterly Enterprise Risk Committee meeting is chaired by our Chief Risk and Compliance Officer and includes information security briefings led by the Chief Information Security Officer.

31 Mr. Cooper Group Inc. - 2023 Annual Report on Form 10-K


We also hold quarterly Audit and Risk Committee meetings, during which our Board of Directors receives briefings on information security matters. Risks that are identified during these processes are reviewed by executive leadership and corrective action plans are established to address and manage the issues, as applicable and appropriate.

We believe in a proactive approach to enterprise risk management. A major tenet of our cybersecurity program includes training to educate and inform team members on cyber hygiene and threat management as well as regular testing to check for understanding. We have invested in technology and dedicated internal resources to facilitate training for application developers, conduct tabletop exercises, run anti-phishing campaigns, and train on privacy regulations. These training activities, along with other key risk indicators, are tracked and reported to our Enterprise Risk Committee on a quarterly basis.

Recent Cybersecurity Activity

As previously disclosed on a Form 8-K dated November 2, 2023, as amended by the Form 8-K/As dated, November 9, 2023, and December 15, 2023, on October 31, 2023, we experienced a cybersecurity incident in which an unauthorized third party gained access to certain of our technology systems and obtained personal information relating to substantially all of our current and former customers. Following detection of this incident, we initiated response protocols that included deploying containment measures involving shutting down certain systems as a precautionary measure. We notified law enforcement, regulatory authorities, and other stakeholders. We worked with our existing cybersecurity firms and retained additional cybersecurity experts to support our actions.

Our engagement with law enforcement and regulators, and defense of litigation is ongoing. To assist our customers, we have offered identity protection services, including credit monitoring, to all of our current and former customers for two years.

The cybersecurity incident did not result in a misstatement to the interim consolidated financial statements previously filed or included in this Annual Report on Form 10-K. In addition, while we cannot presently quantify the full extent of remediation and legal expenses associated with this cyber-attack, we do not believe the incident has materially affected or is reasonably likely to materially affect, our business strategy, results of operations, or financial condition.