MFA FINANCIAL, INC. - (MFA)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We strive to assess, identify and manage material risks associated with cybersecurity threats. Our information technology (or IT) department, led by our Chief Technology Officer, is responsible for day-to-day management of potential cybersecurity risks. As part of its management of cybersecurity risks, the IT department designs and implements technology projects and conducts regular Security Awareness Training of the Company’s employees, which includes simulated cyber threats and phishing exercises. If a cybersecurity threat is identified, the IT department conducts a preliminary investigation and assessment of such risk, and brings the risk to the attention of our Chief Technology Officer. Our Chief Technology Officer then works with our IT Steering Committee, which is comprised of certain members of our executive management, and our legal personnel, to continue the assessment and make the final determination as to the materiality of such risk. Our IT department, management, and necessary or appropriate third parties collaborate with one another in designing and implementing the response and remediation plan with respect to cyber risks.
We have developed an Information Security Program which is designed to, among other things, protect the confidentiality of our data, protect against threats or hazards to our IT systems, safeguard our data resources in a manner consistent with applicable laws and regulations, contractual obligations and industry standards, and maintain our IT systems to meet our operational needs. The Information Security Program is part of our risk management program, which is overseen by our Audit Committee (and our Board of Directors more generally), receives updates from our Chief Technology Officer on cybersecurity risks and related matters on a quarterly basis and as otherwise as may be needed.
We follow industry standards for cyber security risk mitigation, including anti-virus/anti-malware protection, detection and response technologies, intelligent logging and event management, regular penetration testing and remediation. We use our own monitoring and detection, as well as emerging threat intelligence sources, in our efforts to improve protections from threats and improve internal processes based on cyber threats and risks that are impacting other companies. Our security posture is further enhanced through the use of third-party tools and services providing full time monitoring and threat response.
Our third party management policy is designed to assess and mitigate potential risk posed by vendors and outside service providers. An initial risk assessment is performed to evaluate multiple aspects of a relationship such as impact to cybersecurity, access to our systems and data, and criticality of the relationship to our day-to-day operations. The program defines oversight requirements based on the results of the risk assessment. Critical vendors and service providers are reviewed annually and as otherwise as may be needed.
To date, we have not experienced a cybersecurity threat or incident that has materially affected or is reasonably likely to materially affect the Company or its business strategy, results of operations or financial position; however, we have faced and continue to face a number of cybersecurity risks in connection with our business. We continue to invest in the cybersecurity and resiliency of our IT systems and to work to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see Item 1A. “Risk Factors – Cybersecurity Risks.”
Governance
Our Board of Directors is responsible for our cyber risk oversight, as part of our risk management framework. Our management, primarily through our Chief Technology Officer, provides updates to the Board on a quarterly basis and otherwise as may be needed regarding material matters with respect to cyber risk assessment and overall status regarding our IT systems and controls, including cybersecurity threats during the previous quarter and risks from such threats, strategies and recommendations to mitigate risk from such threats, cybersecurity incidents that have occurred, industry updates, and policy and process recommendations. Our management also coordinates with our IT department to help ensure that cyber risks are integrated into our overall risk identification, management and mitigation strategies, subject to our Board’s guidance.
34
As described above, our Chief Technology Officer works with our IT Steering Committee and other members of senior management, including our staff, in assessing the materiality of a cyber risk after a preliminary assessment by our IT department. If a cyber risk is material, our Chief Technology Officer will bring such risk to our Board’s attention.
Our Chief Technology Officer has served in various roles in IT and information security for over 20 years. In addition, members of the IT department involved in Information Security have an average of 15 years of experience in cybersecurity as well as relevant educational experience.