STARWOOD PROPERTY TRUST, INC. - (STWD)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
We rely on information technology (“IT”) systems, including data hosting facilities and other hardware and software platforms, some of which are hosted by third parties, to assist in conducting our businesses. Our IT systems, like those of most companies, may be vulnerable to certain cybersecurity threats such as ransomware, interruption of services, data breaches, or any other cyber incident that could adversely impact our ability to operate its core business functions. As a financial services firm, we do not maintain a significant level of personally identifiable information data. Accordingly, our exposure to data breaches is more limited. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, cash flow or financial condition. However, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks.

We consider cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the business and enterprise levels, with consideration of key risk indicators, trends and countermeasures for cybersecurity and other types of significant risks. We have implemented a comprehensive cybersecurity program that employs various controls and activities aimed at identifying, protecting against, detecting, and responding to cybersecurity threats. These controls and activities include hardware and software inventory tracking, endpoint protection, and network security measures to safeguard our assets from unauthorized access and attacks. We
55

Table of Contents
prioritize data protection through data classification and access management designed to permit access only by authorized personnel. Our cybersecurity incident response plan, integrated into the enterprise risk management framework, outlines a structured process for handling information security incidents involving assets or data. It guides our computer security incident response team in containing, eradicating, and recovering from incidents while minimizing damage and disruption. The plan includes a clearly defined notification framework ensuring timely communication with business and management teams based on the incident’s severity and potential impact. Controls and related activities are designed taking into consideration recognized third party cybersecurity frameworks.

Oversight of cybersecurity is a joint responsibility of our Board of Directors and Audit Committee, with each receiving at least quarterly updates from management on our cybersecurity program, including measures taken to address cybersecurity risks and significant cybersecurity incidents. We also maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents.

Our Chief Information Officer leads our overall cybersecurity function and is responsible for developing and implementing our information security program and managing our response to threats. In addition to our in-house cybersecurity capabilities, at times we also engage third parties to assist with assessing, identifying, and managing cybersecurity risks. Members of our IT security team, including the third party security firms we utilize as part of our program, have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification.

We utilize on-premises and cloud-based security solutions, with real-time monitoring provided by specialized managed security services providers. These external managed security service providers collect events generated by critical systems in real-time, filters non-security events, and then correlates the information using security data analytical engines so that personnel can identify and analyze threats.

We also periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete a monthly computer-based Security Awareness Training Program that includes various topics on cybersecurity risk management best practices. This program educates users to identify information security threats and what actions should be taken. Additionally, the employees are regularly tested with phishing campaigns reinforcing their awareness of email threats.

Annual risk assessments of our Information Security Program are conducted to identify emerging information security and third party risks. In addition, periodic vulnerability assessments and penetration tests are conducted throughout the year to support the identification of risks. We also conduct independent audits on both the design and operational effectiveness of security controls and consult with external advisors on best practices to address new challenges.

With respect to our software platforms that are hosted by third parties, we utilize an external vendor risk management platform is utilized to evaluate, rate, monitor and track vendor risk. The security practices and processes of the service providers are monitored regularly, and periodic audits are performed on the security adequacy and compliance of the service provider. For any of our hosted applications we require the vendor to maintain a System and Organization Controls (“SOC”) 1 or SOC 2 report. If a third party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with the use of third party providers is part of our overall cybersecurity risk management framework.