Rocket Companies, Inc. - (RKT)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Safeguarding information by securing our systems, data, and networks is a key priority for our business. Rocket Companies relies on our technology networks and systems, as well as those of certain third parties and affiliates, to collect, process, transmit and store information. We require the secure, efficient, and uninterrupted operation of those networks and systems to provide our clients with the best possible experience. With this in mind, we maintain an Information Security Program to protect the confidentiality, integrity, and availability of client information.

45


The Rocket Companies Information Security Program (“Program”) is managed by the Rocket Companies Chief Information Security Officer (“CISO”), who is responsible for the creation and execution of our information security strategy. The CISO has more than 30 years’ experience managing business risk and developing and implementing information security strategy.

Rocket Companies aligns its Program to the National Institute of Standards (NIST) Cyber Security framework. The Program is reviewed and updated by regular risk assessments, which identify reasonable and foreseeable internal and external risks. Rocket performs ongoing assessments of its Program to measure both the sufficiency of the safeguards to control risk and the design and operating effectiveness of our security requirements and controls. We implement information security policies throughout our operations, and our enterprise risk management (“ERM”) process considers information security risks alongside other company risks as part of our overall risk assessment process.

The Rocket Companies Vendor Risk Management Program extends our safeguards to third-party service providers. Our Vendor Risk Management Program includes a robust due diligence process to review and affirm on an initial and periodic basis that our third-party service providers protect our information with the same rigor we require of ourselves.

As far as internal training and compliance, we spend significant time and resources to communicate the Program to all team members via annual trainings, ongoing communications, and periodic testing of team member capabilities.

The CISO is charged with the continuous evolution of the Program to address emerging threats and new technologies, ensuring that we can adapt to the everchanging risk environment and those who seek to compromise our information. As such, the Program is regularly evaluated by both internal and external assessors to ensure its effectiveness by measuring its ability to prevent risk realization.

Cybersecurity Governance

Our Board oversees our Information Security Program and cybersecurity risks, this includes receiving periodic management reports on cybersecurity and information security trends and regulatory updates, technology risks, and the implications for our business strategy.

On a periodic basis, the CISO provides reports and presentations to the Board, Audit Committee, and Rocket Senior Leadership, including the Rocket Risk Council. These CISO updates include recent industry developments, evolving standards, vulnerability assessments and technological trends. During 2023, the CISO updates included information regarding areas of increasing cybersecurity threats, the ongoing enhancements to our information security framework, processes to mitigate threats, and the results of a simulated cybersecurity incident tabletop exercise.

As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect Rocket Companies. However, there is no guarantee that we will not be subject to future threats or incidents. We deploy a monitoring program to detect potential threats and keep an incident response plan in place to respond if a security incident occurs. Additional information on cybersecurity risks we face can be found in Item 1A, Risk Factors, which should be read in conjunction with the foregoing information.