PennyMac Mortgage Investment Trust - (PMT)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

 

Cybersecurity Program

Our and our Manager’s cybersecurity and related controls, policies and procedures (“Cybersecurity Program”) are critical business functions protecting our and our Manager’s enterprise information systems, data and business operations from external and internal threats. The Cybersecurity Program prioritizes detection, analysis, response and prevention to known, anticipated or unexpected cybersecurity threats, with regular internal and third-party assessments and enterprise risk management governance reviews. The Cybersecurity Program is informed by the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework standard, which our Manager uses to assist with our overall enterprise risk management framework, along with our compliance requirements under federal and state cybersecurity and related regulations. We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. Our Risk Factors include further detail about our material cybersecurity risks.

Our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) each have over 24 years of information system experience and are primarily responsible for implementing the Cybersecurity Program and managing our information security personnel and consultants. The CIO has served in a variety of information technology leadership positions in the finance industry and holds a Bachelor of Science in Electrical Engineering. The CISO served in a variety of cybersecurity operations, cybersecurity architecture, and critical infrastructure cybersecurity enhancement programs in the finance industry, the utility industry and in government and holds a Bachelor of Science in Management Information Systems and Decision Sciences.

The Cybersecurity Program is integrated into our and our Manager’s enterprise risk management framework that assesses, identifies and protects our and our Manager’s enterprise information systems, data and business operations from various security threats and contains the following elements:

Information Security Risk Assessment - Conducting internal and external risk and control assessment, quality control and assurance testing.
Identity and Access Management - Managing enterprise identity and access control systems.
Security Architecture - Managing security architecture, including secure code deployment standards, architecture security reviews, and cybersecurity advisory support.
Security Engineering - Designing, implementing and operating security technologies, including but not limited to malware protections, security event and incident management, data loss prevention, and phishing defenses.
Security Operations - Ensuring continuous operational coverage of security events and alerts, maintaining and executing processes for triage, containment, investigation and escalation/communication and threat intelligence.
Attack Surface Management - Managing vulnerability and patch management, network penetration testing, application security testing and exercises, including cyber-attack simulations and tabletop exercises with senior management to detect control gaps.
Third-Party Assessments - Coordinating, reviewing and analyzing third-party providers’ assessments of the Cybersecurity Program. Internal Audit may also perform a periodic cybersecurity program audit that may be supported by external consulting firms.
Third-Party Service Provider Reviews – Identifying and reviewing material risks from cybersecurity threats associated with certain third-party service providers.

50


 

Information Security Monitoring and Incident Reporting

We and our Manager continuously monitor our enterprise information systems and user activity to detect anomalous activity and identify potential security related incidents. Our cybersecurity monitoring and incident reporting program is informed by NIST guidelines and is internally and externally monitored. When a potential cybersecurity incident is detected, we and our Manager gather the necessary information to classify the incident by type and severity and activate containment plans and response teams depending on the nature of the incident. Cybersecurity incidents that may impact enterprise business operations, compromise critical systems or result in unauthorized access to critical data will be escalated to the CISO and an internal incident response team comprised of senior IT, business operations and compliance personnel to coordinate any internal and external responses. The CISO and the internal incident team will also elevate any material cybersecurity incidents or unauthorized occurrences that jeopardize the confidentiality, integrity or availability of enterprise information to senior management and the board of trustees.

Enterprise Risk Management Framework and Governance

The Cybersecurity Program is integrated with our and our Manager’s enterprise risk management framework and is primarily managed by the CIO, the CISO, and other information security personnel and consultants, and is overseen by risk management, internal audit, senior management and the board of trustees to ensure the confidentiality, integrity and the availability of the Company’s enterprise information systems, data and business operations. The Cybersecurity Program utilizes specialized third-party cybersecurity service providers to periodically perform penetration testing across certain internet-facing and business critical applications as well as external and internal network penetration tests.

Our and our Manager’s Enterprise Risk Management unit separately provides independent oversight and monitoring of the Cybersecurity Program through periodic quality control testing and regulatory compliance verification of the Cybersecurity Program’s controls. Our Internal Audit unit is an independent corporate function reporting to the board of trustees’ Audit Committee that also reviews the effectiveness of the Cybersecurity Program and whether it is effectively integrated into our and our Manager’s overall enterprise risk management framework. Additionally, our and our Manager’s Enterprise Risk Management and Internal Audit units may from time to time separately engage consulting services to perform independent cybersecurity controls audits and provide expert guidance.

Board of Trustees Oversight

The board of trustees oversees our cybersecurity risks by periodically evaluating cybersecurity reports from senior management, including the CIO and CISO, as well as reports from the board committees and third-party consultants. The Risk Committee oversees our enterprise risk management framework including risks associated with data security, cybersecurity, IT infrastructure, and data privacy. The Audit Committee oversees the internal and external auditors’ review of our cybersecurity risks.

Management Oversight

 

Senior management’s Technology Committee includes the CIO, the CISO and other senior executives who oversee the Company’s enterprise IT infrastructure and ensures that our enterprise information systems are protected from internal and external cybersecurity threats by monitoring cybersecurity controls, risk assessments and information system reports. The Technology Committee, the CIO and the CISO periodically provide cybersecurity reports about our Cybersecurity Program to senior management’s Executive Committee and the board of trustees and its Risk Committee.