Invesco Mortgage Capital Inc. - (IVR)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Cyber threats are considered one of the most significant risks facing financial institutions. Since our company is externally managed, we rely upon the operational and investment risk oversight functions of our Manager and its affiliates. To mitigate risk from cyber threats, our Manager has a designated Global Chief Security Officer (“GCSO”) who leads the global security department that is responsible for identifying, assessing, and managing cybersecurity threats. The GCSO has experience in the public and private sectors, specializing in security, investigations, and incident response. The global security department oversees the following groups across Invesco: Information Security, Global Privacy, Business Continuity & Crisis Management, Resilience and Corporate Security. This converged security structure supports a more comprehensive, holistic approach to keeping our and Invesco clients, employees, and critical assets safe, upholding privacy rights, while enabling a secure and resilient business.
Our Manager’s information security program is led by its Chief Information Security Officer (“CISO”) who reports directly to the GCSO and has extensive experience in specializing in information security and risk management. Our Manager’s information security program is designed to oversee all aspects of information security risk and seeks to ensure the
34 |
confidentiality, integrity, and availability of information assets, including the implementation of controls aligned with industry guidelines and applicable statutes and regulations to identify threats, detect attacks and protect its and our information assets.
Our Manager's cybersecurity program includes the following:
•Proactive assessments of technical infrastructure and security resilience are performed on a regular basis which include penetration testing, offensive testing and maturity assessments.
•Conducting due diligence on third-party service providers regarding cybersecurity risks prior to on-boarding, periodic assessment of cybersecurity risks for third-party service providers and continuous monitoring for new third-party cybersecurity incidents.
•An incident response program that includes periodic testing and is designed to restore business operations as quickly and as orderly as possible in the event of a cybersecurity incident at Invesco or third-party incident.
•Mandatory annual employee security awareness training, which focuses on cyber threats and security in general.
•Regular cyber phishing tests throughout the year to measure and raise employee awareness against cyber phishing threats.
Important to these programs is our Manager’s investment in threat-intelligence, its active engagement in industry and government security-related forums, and its utilization of external experts to challenge its program maturity, assess its controls and routinely test its capabilities.
Our Board of Directors oversees cybersecurity risk and receives updates, at a minimum, twice a year from the CISO regarding cybersecurity, which updates include a review of our Manager’s global security program and cybersecurity, including risks and protections for us and our Manager. The Global Operational Risk Management Committee, one of our Manager’s risk management committees, provides executive-level oversight and monitoring of the end-to-end programs dedicated to managing information security and cyber related risk. In addition, the CISO serves as a member of and provides quarterly updates to our company’s enterprise risk management committee, which in turn provides quarterly updates to our Board of Directors, and members of our management team are included in our Manager’s incident response process in the event a cyber security incident occurs that could materially impact us.
As of December 31, 2023, we have not experienced any cyber incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.