TWO HARBORS INVESTMENT CORP. - (TWO)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Our business is highly dependent on information technology. In the ordinary course of our business, we store sensitive data, including our proprietary business information and that of our business partners, and non-public personally identifiable information of mortgage borrowers, on our networks. The secure maintenance and transmission of this information is critical to our operations. Computer malware, viruses, ransomware and phishing attacks remain widespread and are increasingly sophisticated. We are frequently the target of attempted cyber threats. We continuously monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses and other events that could have a security impact. Despite these security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance or other disruptions. Any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Such access, disclosure or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties, disruption to our operations or trading activities or damage to our reputation, all of which could have a material adverse effect on our business, results of operations and financial condition.
22
We recognize the importance of protecting our information and our information technology systems, and assessing, identifying and managing cybersecurity-related risks have been integrated into our risk management processes. We focus on information technology and cybersecurity measures at both an enterprise-wide operational level and an individual employee level. We have in place various methods and levels of information technology and cybersecurity measures which are aimed at protecting our information and information technology systems to help secure long-term value for our stockholders and other stakeholders. By way of example, these measures include the following:
•industry standard targeted controls and security frameworks, including the National Institute of Standards and Technology (NIST), to protect our environment, including antivirus, antimalware, multi-factor authentication, complex and regularly changed passwords, email security and firewalls to protect our assets and our ability to maintain operations;
•use of technologies to help detect, identify and manage risks within our environments, including endpoint detect and response (EDR), security information and event management (SIEM) and vulnerability management;
•a formal cybersecurity incident response plan designed to respond to security incidents in a systematic and complete manner, and involves senior executives, external technical, legal and other resources, including an incident response retainer with our third-party security operations center;
•regularly monitoring and assessing our cybersecurity programs using external parties including a third-party security operations center, cyber maturity assessments, penetration tests and other targeted controls assessments;
•central systems backup processes and associated disaster recovery plans;
•membership in an information sharing and analysis center (FS-ISAC) so that we may stay informed about challenges specific to the financial services industry and contribute to the overall cybersecurity community; and
•employee training and awareness programs addressing cybersecurity and data privacy challenges we face in our industry.
The risk oversight committee of our board of directors is responsible for overseeing matters relating to our information technology and cybersecurity risk exposures and the steps our company takes to monitor and mitigate these risks. The risk oversight committee is briefed semi-annually by senior management and the Chief Information Security Officer, or CISO, on cybersecurity matters, or more frequently as the circumstances require. To assist the risk oversight committee, we also have established a security and privacy steering committee comprised of members of senior management and our CISO to oversee data privacy and cybersecurity matters. Our CISO has extensive information technology and program management experience, has served in the role since 2019 and has supported the company since 2015.