Better Home & Finance Holding Co - (BETR)
10-K Filing Date: April 08, 2024
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the safety and security of our technology systems and data. Accordingly, the Company takes a comprehensive approach to identifying and managing cybersecurity risks that involves the Company’s information technology security team, senior management, Audit Committee and Board of Directors. Our cybersecurity risk management function is a component of our overall approach to risk management, which is implemented and overseen by our Enterprise Risk Management Committee.
Cybersecurity Governance
The Company’s information technology security team, led by our Chief Information Security Officer (“CISO”), is responsible for identifying, assessing, mitigating, and reporting on material cybersecurity risks to the Company’s senior management. The Company’s CISO, who has over 20 years’ experience in information technology, holds high-level licenses and certifications relating to information security, including the ISC2 CISSP.
The Company’s CISO regularly briefs the Company’s senior management, including the General Counsel and Chief Compliance Officer who serves as Chair of the Enterprise Risk Management Committee, on cybersecurity trends and regulatory updates, technology risks and implications for the Company’s business strategy. The Company’s CISO and senior management regularly update the Audit Committee on such trends, as well as the Company’s information security and control effectiveness. In addition to regular reporting, the Company has procedures by which cybersecurity incidents are reported in a timely manner to senior management, including the CEO and other members of the executive team, who collectively determine if a specific cybersecurity incident warrants escalation to the Audit Committee and the Board of Directors. The Board of Directors oversees the Company’s cybersecurity policies and procedures through the Audit Committee, and also receives periodic briefings from senior management as well.
Cybersecurity Policies and Procedures
Under the direction of the Company’s CISO, the Company’s cybersecurity policies and procedures are designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents. Such policies and procedures are based upon the CIS v8 Framework, portions of the NIST Framework, ISO 27001, and industry practices, with key areas outlined below:
•Risk Management: Third party and internal risk assessments designed to help identify material cybersecurity risks to critical systems, data, services and general information technology environment, as well as regular testing to measure effectiveness of the risk assessments and controls. Reviews and testing of various controls are done on an annual basis within the Company. Third party vendors critical or material to the operation of the company are reviewed on an annual basis to ensure they continue to meet our security criteria. There is also a communication process in place to question third party vendors around specific or emerging vulnerabilities and zero days outside the annual review.
•Security Operations Center (SOC): Staffed by full time employees and supplemented by a MSSP, 24/7 monitoring, investigating, and responding to potential incidents, threats, or breaches.
68
•Education & Awareness: Information training programs for all employees and contractors to inform and educate, with built in quantitative testing for effectiveness.
•Risk Management Framework: A third party risk management framework, designed to identify, monitor, remediate and respond to third party cybersecurity risks and incidents. This framework includes a due diligence process that occurs before and during the engagements with third parties, and through the use of third party threat intelligence reports and feeds to monitor breaches and incidents.
•Incident Response & Recovery (IRR): Established, tested incident response and recovery policies and procedures utilized by the SOC and other key members of the IRR team to effectively respond to threats in a timely consistent manner.
•Technical Controls: Technical and administrative checks and balances to safeguard information and systems, including firewalls, XDR, logging, and access controls.
These policies and procedures are reviewed and updated in connection with risk assessments, which identify reasonable and foreseeable risks. Third party and internal assessments are conducted annually to measure the effectiveness of safeguards, operating effectiveness of security measures, and to inform future considerations of the program. The Company implements security policies throughout its operations, and utilizes the enterprise risk management process designed to quantify, report, and plan to remediate identified cybersecurity risks.
Cybersecurity Risks and Threats
Although we have designed our cybersecurity governance and policies and procedures described above to mitigate cybersecurity risks, we face unknown cybersecurity risks, threats and attacks. To date, these risks, threats or attacks have not had a material impact on our operations, business strategy or financial results, but we cannot provide assurance that they will not have a material impact in the future. See the section entitled “Risk Factors” included elsewhere in this Annual Report for further information. We continuously work to enhance our cybersecurity risk management program.