OCWEN FINANCIAL CORP - (OCN)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have established information security protocols aimed at the identification, assessment, and management of significant cybersecurity risks that could impact our vital information systems and confidential data. Our information security team employs a variety of methods to identify and evaluate cybersecurity risks, including risk and control self-assessments, vulnerability assessments and penetration testing, breach and attack simulations, ransomware table-top assessments, cyber threat intelligence review, as well as internal and external assessments.
To mitigate and manage these risks, we have implemented various technical, physical, and organizational safeguards. Depending on the environment or system, these include, for example, information security policies and procedures, perimeter security controls such as firewalls and intrusion prevention systems, network security controls including multi-factor authentication and role-based access controls, and server and endpoint security controls such as anti-malware. Additionally, depending on the environment or system, we utilize application security controls, data security controls including encryption, data loss prevention controls, immutable data backups, and security awareness programs.
These aforementioned security measures are integrated into our broader enterprise risk management strategies. Cybersecurity risks identified through the processes described above under Item 1. Business - Risk Management are
45
categorized according to our enterprise risk assessment guidelines and are tracked in a centralized enterprise risk system. Cybersecurity risks are regularly reviewed by our IT Risk Committee and Enterprise Risk and Compliance Committee (discussed further below). We also engage third-party service providers for assistance in identifying, assessing, and managing cybersecurity risks. In the past, these services have included external penetration testing, audit services, legal counsel, threat intelligence, forensic investigation, and managed security service providers.
In addition, we have processes in place for assessing and managing risks associated with third-party service providers. Vendors are categorized based on a set of criteria that assess the importance of their services and the sensitivity of the information they access. Depending on the nature of the services provided, the sensitivity of information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with the provider. We monitor third-party risks through due diligence questionnaires and periodic assessments, and we track the status of reported risks within our centralized risk governance framework.
In 2023 and 2024, cybersecurity incidents have occurred involving our vendors and other contractual counterparties that did not materially and adversely impact our operations. We cannot assure that future incidents will not materially and adversely impact us. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this annual report on Form 10-K, including “Cybersecurity risks and the failure to maintain the security, confidentiality, integrity, and availability of our information technology systems or data, and those maintained on our behalf, could result in a material adverse impact to our business, including without limitation regulatory investigations or actions, a material interruption to our ability to provide services to our customers, damage to our reputation and/or subject us to costs, fines and penalties or lawsuits and otherwise adversely affect our operations.”
Cybersecurity Governance
Our Board of Directors addresses the Ocwen’s cybersecurity risk management as part of its general oversight function. The Risk and Compliance Committee of the Board of Directors is responsible for overseeing Ocwen’s overall risk management processes, including cybersecurity-related risks, and receives regular updates from the Chief Information Security Officer (CISO) concerning Ocwen’s significant cybersecurity threats and the processes Ocwen has implemented to address them. The Chair of our Risk and Compliance Committee and our Lead Independent Director have each received training and certification from the National Association of Corporate Directors Cyber-Risk Oversight Program.
Our cybersecurity risk assessment and management processes are implemented and maintained by the CISO and the information security team. The CISO is responsible for cybersecurity staffing and maintaining an up-to-date cybersecurity policy and processes framework designed to promote a strong cybersecurity posture, drive security awareness, and facilitate a coordinated response to cybersecurity incidents. The IT Risk Committee, which is chaired by the Chief Information Officer (CIO) and includes the CISO, Chief Risk and Compliance Officer (CRCO) and other executive leadership team members, reviews cybersecurity risks and initiatives on a periodic basis.
In addition to their decades of experience and qualifications in finance and management, our CIO holds a Bachelor’s Degree in Computer Engineering and Master’s Degree in Computer Science, our CISO holds a Bachelor’s Degree in Electronics Engineering and has completed industry certifications including Certified Information Security Auditor, Certified Information Systems Security Professional, and ISO 27001 Lead Auditor, and our CRCO has received training in financial services cybersecurity risk management for legal professionals. In addition, all Ocwen executives, along with employees generally, are required to refresh their cybersecurity and IT threat-recognition training annually or more frequently if circumstances warrant.
Cybersecurity-related risk events are reported to Ocwen’s Enterprise Risk and Compliance Committee, an executive level management committee designed to assist the Chief Executive Officer and CRCO in executing our Enterprise Risk Management Program, including with respect to cybersecurity. The Enterprise Risk and Compliance Committee provides a formal governance and oversight infrastructure for identifying and monitoring cybersecurity risks and compliance-related issues facing Ocwen, which includes escalation to the Risk and Compliance Committee of the Board as appropriate.
In addition, our cybersecurity incident response processes are designed to escalate material cybersecurity incidents to members of management as part of the enterprise level Crisis Management Framework. The CISO, CIO, CRCO and senior operating unit leaders are part of the crisis management team in an effort to promote the prompt mitigation of cybersecurity incidents and facilitate the notification of appropriate stakeholders.
46