Axos Financial, Inc. - (AX)
10-K Filing Date: August 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our risk management processes and procedures include a cybersecurity risk management program as part of its multiple technical layers of defense. Through our cybersecurity risk management program, we have designed and implemented processes for identifying, assessing, preventing, and managing material risks from cybersecurity threats to our critical computer networks, third-party service providers, communication systems, hardware and software, and our critical data, including confidential company and customer information. As part of our cybersecurity risk management program, we evaluate our various technical layers of defense on an ongoing basis including performing incident response planning, frequent vulnerability testing, vendor risk management, intrusion monitoring, and maintaining a security awareness program. We invest in our people, processes and systems and maintain partnerships with appropriate government and law enforcement agencies to help monitor cybersecurity threats as well as prevent and respond to cybersecurity incidents.
We may utilize various resources that we deem necessary based on actual or potential threats and vulnerabilities to Axos, including engaging independent third-party assessors, consultants and/or auditors to help evaluate the effectiveness of our cybersecurity risk management program, processes, and controls.
Our overall enterprise risk management includes a third-party risk management program, through which we identify, monitor, and manage cybersecurity risks inherent in or related to external service providers and other third parties. Through our business lines, we actively assess and oversee our third-party service providers against requirements set by our third-party risk management program and our cybersecurity risk management program.
We have not identified any cybersecurity incidents that have materially affected Axos or its business strategy, results of operations, or financial condition. However, we face ongoing cybersecurity risks which may materially affect the Company in the future. Refer to the Risk Factors section for additional information.
Governance
Our Board of Directors includes cybersecurity risk management as part of its general oversight function and oversees the cybersecurity risk management program and any identified cybersecurity risks and incidents. To facilitate its oversight, the Board of Directors receive regular updates from management on cybersecurity.
Our Chief Risk Officer has primary responsibility for our enterprise risk management program, including oversight of our cybersecurity risk management program. Our Chief Information Security Officer has primary responsibility for our cybersecurity risk management program and supervises the Company’s cybersecurity personnel. Both individuals have extensive work experience in various roles involving risk and compliance, including cybersecurity and information security.
The individuals involved in our cybersecurity risk management program are informed about developments in cybersecurity risks and related matters through a variety of channels inside the Company, including but not limited to, briefings from internal teams and alerts and reports produced by various measures we may deploy, as well as information obtained from external sources in the government and private sector, including external third party consultants retained by Axos.
Our Chief Information Security Officer and Chief Risk Officer report information on cybersecurity risks to the Board of Directors on a regular basis.