PennyMac Financial Services, Inc. - (PFSI)
10-K Filing Date: February 21, 2024
Cybersecurity Program
Our cybersecurity and related controls, policies and procedures (“Cybersecurity Program”) are critical business functions protecting our enterprise information systems, data and business operations from external and internal threats. The Cybersecurity Program prioritizes detection, analysis, response and prevention to known, anticipated or unexpected cybersecurity threats, with regular internal and third-party assessments and enterprise risk management governance reviews. The Cybersecurity Program is informed by the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework standard and is integrated into our overall enterprise risk management framework, along with our compliance requirements under federal and state cybersecurity and related regulations.
We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. Our Risk Factors include further detail about our material cybersecurity risks.
Our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) each have over 24 years of information system experience and are primarily responsible for implementing the Cybersecurity Program and managing our information security personnel and consultants. The CIO has served in a variety of information technology leadership positions in the finance industry and holds a B.S. in Electrical Engineering. The CISO served in a variety of cybersecurity operations, cybersecurity architecture, and critical infrastructure cybersecurity enhancement programs in the finance industry, the utility industry and in government and holds a B.S.in Management Information Systems and Decision Sciences.
The Cybersecurity Program, which is integrated into our enterprise risk management framework, assesses, identifies and protects our enterprise information systems, data and business operations from various security threats and contains the following elements:
● | Information Security Risk Assessment - Conducting internal and external risk and control assessment, quality control and assurance testing. |
● | Identity and Access Management - Managing enterprise identity and access control systems. |
● | Security Architecture - Managing security architecture, including secure code deployment standards, architecture security reviews, and cybersecurity advisory support. |
● | Security Engineering - Designing, implementing and operating security technologies, including but not limited to malware protections, security event and incident management, data loss prevention, and phishing defenses. |
● | Security Operations - Ensuring continuous operational coverage of security events and alerts, maintaining and executing processes for triage, containment, investigation and escalation/communication and threat intelligence. |
● | Attack Surface Management - Managing vulnerability and patch management, network penetration testing, application security testing and exercises, including cyber-attack simulations and tabletop exercises with senior management to detect control gaps. |
● | Third-Party Assessments - Coordinating, reviewing and analyzing third-party providers’ assessments of the Cybersecurity Program. Internal Audit may also perform a periodic cybersecurity program audit that may be supported by external consulting firms. |
46
● | Third-Party Service Provider Reviews – Identifying and reviewing material risks from cybersecurity threats associated with certain third-party service providers. |
Cybersecurity Monitoring and Incident Reporting
We continuously monitor our enterprise information systems and user activity to detect anomalous activity and identify potential security related incidents. Our cybersecurity monitoring and incident reporting program is informed by NIST guidelines and is internally and externally monitored. When a potential cybersecurity incident is detected, we gather the necessary information to classify the incident by type and severity and activate containment plans and response teams depending on the nature of the incident. Cybersecurity incidents that may impact enterprise business operations, compromise critical systems or result in unauthorized access to critical data will be escalated to the CISO and an internal incident response team comprised of senior IT, business operations and compliance personnel to coordinate any internal and external responses. The CISO and the internal incident team will also elevate any material cybersecurity incidents or unauthorized occurrences that jeopardize the confidentiality, integrity or availability of enterprise information to senior management and the board of directors.
Enterprise Risk Management Framework and Governance
The Cybersecurity Program is integrated with our enterprise risk management framework and is primarily managed by the CIO, the CISO, and other information security personnel and consultants, and is overseen by risk management, internal audit, senior management and the board of directors to ensure the confidentiality, integrity and availability of the Company’s enterprise information systems, data and business operations. The Cybersecurity Program utilizes specialized third-party cybersecurity service providers to periodically perform penetration testing across certain internet-facing and business critical applications as well as external and internal network penetration tests.
Our Enterprise Risk Management unit separately provides independent oversight and monitoring of the Cybersecurity Program through periodic quality control testing and regulatory compliance verification of the Cybersecurity Program’s controls. Our Internal Audit unit is an independent corporate function reporting to the board of directors’ Audit Committee that also reviews the effectiveness of the Cybersecurity Program and whether it is effectively integrated into our overall enterprise risk management framework. Additionally, our Enterprise Risk Management and Internal Audit units may from time to time separately engage consulting services to perform independent cybersecurity controls audits and provide expert guidance.
Board of Directors Oversight
The board of directors oversees our cybersecurity risks by periodically evaluating cybersecurity reports from senior management, including the CIO and CISO, as well as reports from the board committees and third-party consultants. The Risk Committee oversees our enterprise risk management framework including risks associated with data security, cybersecurity, IT infrastructure, and data privacy. The Audit Committee oversees the internal and external auditors’ review of our cybersecurity risks.
Management Oversight
Senior management’s Technology Committee, includes the CIO, the CISO and other senior executives who oversee the Company’s enterprise IT infrastructure and ensures that our enterprise information systems are protected from internal and external cybersecurity threats by monitoring cybersecurity controls, risk assessments and information system reports. The Technology Committee, the CIO and the CISO periodically provide cybersecurity reports about our Cybersecurity Program to senior management’s Executive Committee and the board of directors and its Risk Committee.
47