NEW YORK MORTGAGE TRUST INC - (NYMT)
10-K Filing Date: February 23, 2024
Item 1C. CYBERSECURITY
We, together with our third-party vendors, employ information technology including networks, systems, and applications to support our business processes and decision-making across the Company. Our information technology is connected to support the flow of information across our business processes. As such, our information technology infrastructure is susceptible to cybersecurity threats. We monitor our information security procedures and risk management systems and implement initiatives aimed at improving our cybersecurity measures. Our process for assessing, identifying, and managing information security risks include:
•Internalization of Information Security Management. We have internalized our information security oversight by hiring a full time Head of Information Technology that has over 20 years of experience in managing information technology and guiding organizations through technology strategy, cybersecurity risk mitigation, information technology process improvement initiatives and digital transformations. He also possesses relevant experience in improving a company's cybersecurity posture and data privacy policies. He holds a Bachelor of Science degree in Information Systems and oversees all of our information security initiatives, assesses cybersecurity risks, provides cybersecurity solution plans, identifies opportunities for the implementation of additional cybersecurity procedures and provides cybersecurity training to our employees and executives.
•Third-Party Consultant. We engage a third-party information security consultant to assist in managing our risk posture. This consultant conducts periodic tests and analyses of our defensive and detective information security controls, including annual penetration tests and risk assessments as well as regular vulnerability scans and assessments. The consultant also provides live, interactive annual information security training to our employees and monitors the effectiveness of such training through quarterly phishing campaigns. The consultant also assists us in managing cybersecurity risks associated with third-party service providers by administering a due diligence questionnaire for the Company's third-party service providers that is inclusive of a cybersecurity risk assessment and provides guidance for remediation of security gaps.
•Current Plans and Procedures. The Company has implemented an incident response plan (“IRP”) and a Business Continuity Plan ("BCP"). The IRP establishes the organization, actions and procedures for recognizing and responding to information security incidents; assessing incidents; notifying the appropriate individuals, regulators or organizations about any incident; organizing the Company’s response activities; escalating the Company’s response efforts to named executive officers and the Board of Directors based on the severity of the incident; and supporting the business recovery efforts made in the aftermath of any incident. The IRP is designed to minimize the operational and financial impacts of an information security incident and is designed to be activated when a local incident responder determines that an incident has occurred. Similarly, our BCP provides details on information security incident response and subsequent business recovery actions.
•Risk Identification and Mitigation. The Company aims to identify and mitigate information security risks using the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST Framework as a guide to help us identify and mitigate information security risks relevant to our business. The Company seeks to identify potential risks through various software programs which perform asset and patch management; monitor desktops, laptops and servers; map networks and inventories; and audit file servers. The Company aims to protect itself from potential risks through the implementation of software programs which provide protective measures such as single sign-on, multi-factor identification, content filtering, disk encryption, regular patches and inside threat protection. The Company has implemented a suite of software programs to detect information security events, plans to respond to information security events in accordance with the IRP and BCP, and aims to take proactive steps to recover from information security events through its Disaster Recovery Plan.
•Insurance. We maintain an information security risk insurance policy.
50
•Enterprise Risk Assessment. The Company completes an annual enterprise risk assessment that includes cybersecurity risks and mitigants. The results of the enterprise risk assessment are shared with the Board of Directors on an annual basis.
•Implemented Programs for a Hybrid Work Environment. We have implemented initiatives relating to mobile device management, cloud storage services, endpoint protection, and identity and access management. For example, we have implemented a service that focuses on mobile device management and mobile application management, as well as data classification and file server data loss protection measures. We have further implemented endpoint protection and endpoint detection and response which provides visibility that is designed to identify unauthorized systems and applications.
•Ongoing Monitoring. Our information security procedures are designed to evolve as information security risks and considerations change over time.
Our Board of Directors exercises oversight of information security risk primarily through the Audit Committee. The Head of Information Technology regularly provides information security updates to named executive officers and briefs our Board of Directors or Audit Committee on relevant information security issues at least twice a year. We also provide periodic cybersecurity training for members of our Board of Directors.
As of the date of this Report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences for our business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. For further discussion, please see the risk factors titled "Maintaining cybersecurity and data security is important to our business and a breach of our cybersecurity or data security could result in serious harm to our reputation and have a material adverse impact on our business and financial results" and "We are highly dependent on information and communication systems and system failures and other operational disruptions could significantly disrupt our business, which may, in turn, materially adversely affect our business, financial condition and results of operations and our ability to make distributions to our stockholders" in Part I, Item “1A. Risk Factors” in this Annual Report on Form 10-K.