Ladder Capital Corp - (LADR)
10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity
Ladder has a cybersecurity risk management program that is designed to assess, identify, manage, and govern material risks from cybersecurity threats. Our cybersecurity risk management program is also a key component of our overall risk management program.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. Refer to the risk factor captioned “Cybersecurity threats or other security breaches could cause significant business disruption and could possibly compromise sensitive information belonging to us or our employees, borrowers, clients and other counterparties, and along with the emerging use of artificial intelligence (“AI”), could harm our business and our reputation and subject us to regulatory scrutiny” in Part I, Item 1A. “Risk Factors” for additional information.
Ladder leverages a senior cybersecurity team (the “Cybersecurity Team”) comprised of the Chief Technology Officer (“CTO”), Chief Administrative Officer and General Counsel, Chief Compliance Officer and Senior Regulatory Counsel, as well as senior representatives from Ladder’s outsourced technology firm. The Cybersecurity Team maintains Ladder’s cybersecurity program, which is designed to identify, detect and manage cybersecurity risks. The Cybersecurity Team monitors technology trends and developments to inform improvements and adjustments to Ladder's information technology (“IT”) infrastructure and oversees the Company's various cybersecurity training initiatives.
The members of the Cybersecurity Team have extensive on-the-job experience in cybersecurity matters, sharing responsibility for cybersecurity, as well as for regulatory, compliance and/or IT. Ladder’s CTO has over 20 years of experience in the design, engineering, implementation, and management of information technology, including as the founder of an IT managed servicer provider for professional and financial services companies.
50
Ladder conducts routine risk assessments to identify cyber threats and vulnerabilities and assess the likelihood of occurrence and severity of the impact of such threats and vulnerabilities on the Company. Ladder regularly updates the risk assessment in order to inform Ladder’s cybersecurity program and controls and to prioritize risk mitigation and remediation in an evolving threat landscape. Ladder maintains cybersecurity policies and procedures designed to manage these risks and ensure that the Cybersecurity Team and other relevant employees are informed of cybersecurity incidents in a timely manner. These policies include incident response, data classification, physical and network security polices, remote access, record retention and secure destruction policies. The Cybersecurity Team conducts a formal evaluation of Ladder’s applicable policies and cyber risks and mitigants on at least an annual basis. Ladder’s outsourced technology firm, as well as internal auditors, participate in this evaluation.
Ladder also maintains processes designed to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers based on the service provider’s risk profile. Ladder does not generally maintain consumer data, and does not extensively leverage third parties to manage or process sensitive data. Most of the third parties that have access to sensitive information belonging to us or our borrowers, clients or other counterparties are lenders, law firms and other third parties that require such access in connection with Ladder’s commercial lending activities. These third parties tend to be highly regulated and generally maintain mature cybersecurity programs and data security controls. When Ladder leverages third-party service providers that collect or maintain sensitive information, Ladder conducts initial diligence on such third parties and conducts ongoing monitoring that includes annual due diligence questionnaires and contractual data security protections.
In addition to the policies and procedures discussed above, Ladder leverages industry standard third-party technology, tools and services to assist in monitoring, detecting and managing cyber threats, including managed security service monitoring, endpoint detection and response tools. Ladder also maintains other appropriate cybersecurity controls, including:
•Annual penetration testing by rotating third-party vendors;
•Vulnerability scans;
•Company-wide cybersecurity training, including quarterly phishing exercises;
•Tabletop exercises;
•Vendor cybersecurity diligence; and
•Cyber insurance.
The Audit Committee, on behalf of the board of directors, is responsible for oversight of the Company’s strategies to assess and mitigate cybersecurity risks, as set forth in the Audit Committee’s charter. The Audit Committee receives quarterly or as needed updates from the CTO regarding the cybersecurity risks the Company faces based on the current cybersecurity threat landscape, as well as the status of the measures undertaken by the Company to manage those risks.