Regional Management Corp. - (RM)
10-K Filing Date: February 22, 2024
We recognize the importance of maintaining the security of our electronic networks, information systems, and data. We face significant and persistent cybersecurity threats, including risks heightened by the numerous geographies that we serve; our reliance on complex information networks; remote work among certain of our employees; reliance on digital operations to service certain of our customers; and our use of third-party software and services. Our vendors and customers also face cybersecurity threats. A cybersecurity incident impacting our company or any of our vendors or customers could materially adversely affect our operations and/or financial condition. To protect against and prevent cybersecurity incidents, we employ a comprehensive approach where our Board and management teams work together to oversee our cybersecurity program. We are committed to maintaining robust cybersecurity oversight, controls, and strategies that are designed to help us assess, identify, and manage cybersecurity risks.
Our Board includes members with skills and experience in cybersecurity, technology, and innovation. The Board ultimately oversees cybersecurity risks and evaluates such risks as part of our enterprise risk management (“ERM”) program. As part of our ERM processes, we utilize a formal corporate risk and governance structure that sets out the roles, responsibilities, and expectations of the various parties involved throughout our company in risk mitigation and management. The Risk Committee of the Board is responsible for approving and periodically reviewing and assessing the effectiveness of our ERM policies and procedures. The Risk Committee also assists the Board in its oversight of risks related to cybersecurity by regularly engaging with management and/or third-party consultants to assess the cyber threat landscape; evaluate our information security program; review the results of penetration testing; and analyze the design, effectiveness, and ongoing enhancement of our capabilities to monitor, prevent, and respond to cyber threats and events. The Risk Committee generally meets with management and/or third-party consultants regarding cybersecurity matters on a quarterly basis. Any material developments are reported by the Risk Committee to the Board. Further, any cybersecurity incidents deemed to have a high impact on our business are also generally reported to the Board, regardless of materiality.
Our Senior Director of Information Security (the “SDIS”), who holds a graduate degree in cybersecurity and several industry leading cybersecurity certifications, is responsible for our overall information security program including strategy, security engineering, cyber threat detection, and response. The information security team managed by our SDIS contains certified cybersecurity professionals with broad experience and expertise in cybersecurity threat assessment and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats, and regulatory compliance, among other areas. The information security team continually evaluates our cybersecurity posture, which aligns with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) industry standard, and makes on-going investments in our networks, in addition to performing regular testing of our environment.
In addition, we engage third-party consultants to conduct evaluations of the operational effectiveness of our security controls. These consultants perform penetration testing on our cybersecurity practices and procedures on an annual basis.
Third-party risk is assessed as part of our information security program and includes risk-tiered criteria for due diligence. Contractually, data handling third parties are required to uphold all applicable rules, laws, and regulations in addition to, when applicable, notifying us of cyber security events that may negatively impact us or our data.
We also require all employees to perform annual cybersecurity training. We expect our employees to follow our company-wide policies and procedures relating to cybersecurity matters, which include policies related to IT security, remote access, multifactor authentication, use of the internet and social media, and handling of confidential information, among other items. Additionally, while we have insurance coverage in place designed to address certain aspects of cyber risks, such insurance coverage may be insufficient to cover all insured losses or all types of claims that may arise.
While we have not, as of the date of this Form 10-K, experienced a cybersecurity incident that has materially affected our business strategy, results of operations, or financial condition, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. See Item 1A. “Risk Factors” for information about our cybersecurity risks.