NewtekOne, Inc. - (NEWT)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY.

Risk Management and Strategy

NewtekOne maintains an enterprise-wide risk-management (“ERM”) framework to identify, measure, mitigate, monitor and report material risks to NewtekOne. Our ERM process includes participation by our senior management and employees across NewtekOne and its consolidated subsidiaries and is overseen by our Board. Cybersecurity has been identified among the material risks in our business and the following approach has been developed to address cybersecurity.

We have developed an enterprise-wide cybersecurity risk management system and strategy to safeguard our assets and operations, including the protection of the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems, as follows:

Assessment, Identification, and Management of Material Risks:

1.Comprehensive Risk Assessments: We conduct regular and comprehensive assessments to identify potential cybersecurity risks to our organization. These assessments encompass internal systems, networks, applications, and data repositories, as well as external threats and vulnerabilities within the broader digital ecosystem.
2.Threat Intelligence Monitoring: We continuously monitor threat intelligence sources to stay abreast of emerging cyber threats and trends. This proactive approach enables us to anticipate potential risks and take preemptive measures to mitigate them.
3.Risk Prioritization: Following the assessment phase, we prioritize identified risks based on their potential impact on our operations, data integrity, confidentiality, and reputation. This risk-based approach allows us to allocate resources effectively and focus on addressing the most significant threats first.
4.Mitigation Strategies: We develop and implement robust mitigation strategies tailored to address specific cybersecurity risks. These strategies may include the deployment of technical controls, such as firewalls, intrusion detection systems, and encryption protocols, as well as the implementation of policies, procedures, and employee training programs to promote cybersecurity awareness and adherence to best practices.

Integration into Overall Risk Management System:

Our cybersecurity risk management processes are fully integrated into our overall risk management system and corporate governance framework. This integration ensures that cybersecurity considerations are embedded within our strategic decision-making processes and are aligned with our broader business objectives. By integrating cybersecurity into our overall risk management system, we promote a comprehensive approach to risk mitigation and resilience-building across the organization.

72




Engagement of Assessors, Consultants, and Auditors:

1.External Expertise: We recognize the value of external expertise in assessing and enhancing our cybersecurity posture. To complement the internal capabilities of our Chief Information Security Officer (“CISO”), Chief Technology Officer (“CTO”) and their team of professionals, we engage assessors, consultants, auditors, and other third-party experts with specialized knowledge in cybersecurity. These external stakeholders conduct independent assessments, penetration testing, vulnerability scans, and audits to evaluate the effectiveness of our cybersecurity controls and identify areas for improvement.
2.Continuous Improvement: The insights and recommendations provided by external assessors and consultants inform our ongoing efforts to strengthen our cybersecurity defenses. We prioritize the implementation of their recommendations, ensuring that our cybersecurity measures remain robust and adaptive to evolving threats.

Oversight of Third-Party Service Providers:

1.Vendor Risk Management: We recognize that third-party service providers may introduce additional cybersecurity risks to our organization. As such, we have established a vendor risk management program to assess and monitor the cybersecurity posture of our third-party vendors and partners.
2.Due Diligence: Prior to engaging with third-party service providers, we conduct due diligence assessments to evaluate their cybersecurity controls, practices, and compliance with industry standards and regulations. This due diligence process includes assessing the vendor's security policies, procedures, incident response capabilities, and contractual obligations related to cybersecurity.
3.Ongoing Monitoring: We continuously monitor the cybersecurity performance of our third-party vendors throughout the duration of our engagement. This includes regular assessments, audits, and compliance reviews to ensure that vendors adhere to agreed-upon cybersecurity standards and contractual obligations.
4.Remediation and Escalation: In the event that cybersecurity risks or deficiencies are identified within our third-party vendor ecosystem, we work collaboratively with the vendor to address and remediate these issues in a timely manner. Depending on the severity of the risk, we may escalate concerns to senior management or terminate the vendor relationship if necessary.

Governance

Our Board oversees material risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk, the Board’s Risk Committee has that responsibility.

The Risk Committee is informed of risks from cybersecurity threats through regular reports from the Company’s management, including our CISO and CTO. Our CISO and CTO, who are employees of our subsidiary NTS, oversee our cybersecurity risk management program. The CISO is chiefly responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations, industry standards, and third-party risk assessment requirements; keeping abreast of developing security threats, and helping both the Board and the Risk Committee understand potential security problems that might arise from the changing threat landscape; and overseeing and implementing regular security awareness training of all employees on cybersecurity, and supporting effective communication with users to limit security vulnerabilities. The CISO regularly reports to the Risk Committee, as well as the risk committee of the board of directors of Newtek Bank, on the state of our cybersecurity risk management program and provides updates on cybersecurity matters.

The Risk Committee also receives regular reports on how management identifies, assesses, and manages cybersecurity and broader technology risks. The Risk Committee reviews these reports and discusses them with management. The Risk Committee reports to the full Board on key aspects of management’s presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Risk Committee.
73




While our Board and Risk Committee oversee risk, our senior leadership is responsible for identifying, assessing, and managing our exposure to risks from cybersecurity threats. Accountability of our cybersecurity program is housed within our subsidiary NTS, which is led by our CTO. Reporting to our CTO is the CISO, the individual who provides day-to-day oversight of our cybersecurity program. Our CISO is responsible for assessing and managing material risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees a team that regularly communicates with respect to the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO’s team consists of individuals that have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company’s and our subsidiaries’ executive officers relating to potentially material cybersecurity incidents and regularly discusses with the Risk Committee the effectiveness of the Company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks.

Our CISO is a Certified Information System Security Professional (CISSP) with decades of experience with technology in security, architecture, infrastructure and support in the financial, education, healthcare and verticals. He is a results driven leader who has managed multimillion dollar projects and solutions to successful completion. Our CTO has over 25 years of experience in enterprise technology services with expertise in managed services, private cloud, service operations, and security. He is committed to driving reliability of services while prioritizing robust security measures.
74