UWM Holdings Corp - (UWMC)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the safety and security of our technology systems and data and have a holistic process for overseeing and managing cybersecurity and information technology related risks. This process is supported by both management and our Board. The Audit Committee (the “Audit Committee”) of our Board has oversight of the Company’s risk management program, and cybersecurity is a component of our overall approach to risk management.
Our cybersecurity policies, standards, processes and practices are integrated across our operational risk management programs and are based on industry recognized frameworks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein.
Cybersecurity risk management and strategy
As one of the critical elements of our overall risk management program, our cybersecurity program is focused on the following key areas:
•Technical & Administrative Safeguards: We deploy technical and administrative safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are regularly evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
•Incident Response & Recovery Planning: We have established and maintain incident response and recovery plans that address our response procedures in the event of a multitude of various cybersecurity incidents, and such plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: We maintain a preemptive and comprehensive risk-based approach to identifying and overseeing potential cybersecurity risks presented by third parties, including our vendors, service providers and other external users of our systems. We conduct cybersecurity assessments of third-party vendors that we engage with in our operations, which take place both upon initial engagement and annually, in order to identify and evaluate potential vulnerabilities, including on-site visits for evaluation of certain core operational third-party vendors. In addition, our agreements with material vendors, including subservicers, contain indemnification provisions with respect to cybersecurity matters.
36
•Independent Assessments with Outside Consultants: In addition to the broad capabilities of our internal information security team, we also engage various outside consultants, including contractors, auditors, and other third parties, to among other things, conduct independent assessments and regular testing of our networks and systems to identify vulnerabilities through penetration testing, while also measuring and advising on potential improvements to our incident prevention, response and documentation procedures.
•Team Member Education & Awareness: We provide in-depth training to new team members, as well as annual, mandatory training for all team members regarding cybersecurity threats as a means to equip our team members with effective tools to identify and prevent cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
Governance & Personnel
Our Board has delegated to the Audit Committee the responsibility for monitoring and overseeing our cybersecurity and other information technology risks, controls, strategies and procedures. The Audit Committee periodically evaluates our information security strategies to ensure effectiveness and, if appropriate, may also include a review from third-party consultants and experts. Our Senior Vice President and Chief Information Security Officer (“CISO”) presents and engages with the Audit Committee and the Board at least semi-annually and more frequently, as needed. Our CISO updates the Audit Committee and the Board on matters regarding information security policies and procedures and cybersecurity risk management strategy. In addition, the full Board may review and assess cybersecurity risks as part of its responsibilities for our risk management oversight.
In addition, we have a Risk Committee comprised of our top executives from across UWM, including our Chief Executive Officer, Chief Risk Officer, Chief Operating Officer, Chief Financial Officer and Chief Accounting Officer, Chief People Officer, CISO and several other leaders across our legal, operational and reporting functions. The Risk Committee meets every month to discuss and address management of the risks facing our business. Technological risk is a regular component analyzed by our Risk Committee to identify and assess potential cybersecurity risks across our business operations.
Our Information Security team, led by our CISO has a combined six decades of experience in information technology and cybersecurity. Furthermore, our CISO holds a number of certifications, including CISSP (Certified Information Systems Security Professional), serves on the CISO ExecNet Advisory Council and is active in a number of information security communities and groups. The Information Security team conducts periodic assessment and testing of our policies, standards, processes and practices that are designed to address a multitude of potential cybersecurity threats and incidents. These efforts include a wide range of activities, including penetration testing multiple times throughout the year, adoption and regular evaluation of incident response plans and procedures, regular team member email phishing test campaigns, email security monitoring, real-time vulnerability scanning and intrusion detection, team member cybersecurity awareness programs, regular audits and evaluations of internal and third-party systems, and continuous improvement of the information security management system.
Our CISO works collaboratively with leaders of each of our business operations teams to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with incident response and recovery plans. We maintain a cyber incident response plan to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards. The response plan covers preparation, detection and analysis, containment and investigation, notification (which may include timely notice to the Board if deemed material or appropriate), eradication and recovery, and incident closure and post-incident analysis. Through ongoing communications with management, our CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to our executive management and the Audit Committee when appropriate.
We face ongoing and constantly developing risks from cybersecurity threats that, if realized, may materially affect our business strategy, results of operations, and financial condition. For more information regarding cybersecurity-related risks that could materially affect our business strategies, results of operations, or financial condition, please see Item 1A in this Form 10-K under the headings “We may not be able to detect or prevent cyberattacks and other data and security breaches, which could adversely affect our business and subject us to liability to third parties.” and “Technology disruptions or failures, including a failure in our operational or security systems or infrastructure, or those of third parties with whom we do business, could disrupt our business, cause legal or reputational harm and adversely impact our results of operations and financial condition.”