AGNC Investment Corp. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

AGNC Investment Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:09:50 EST.

Filings

10-K filed on 2024-02-22

AGNC Investment Corp. filed an 10-K at 2024-02-22 17:09:50 EST
Accession Number: 0001423689-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain an active cybersecurity risk management and strategy program to address the risks of cybersecurity threats to our business. Our cybersecurity program aligns with the NIST Cybersecurity Framework, and we conduct reviews of its effectiveness on a regular basis through annual testing, periodic third-party evaluations of our processes and controls, and ongoing surveillance. This program involves the use of cybersecurity tools to identify, protect, detect, respond, and recover from cybersecurity threats. Additionally, we engage with third-party cybersecurity consultants and other professional advisors to gain insight and knowledge into emerging threats, industry trends and emerging practices. Annually, we review cybersecurity risk in the context of our overall enterprise risk management assessment. As a component of these processes, our management 21 team, including our Senior Vice President and Chief Technology Officer, identifies and assesses the likelihood and magnitude of risks, on both inherent and residual basis. These evaluations inform our overall cybersecurity strategy. Our business operations depend significantly on third party service providers. We have processes in place to evaluate the operational and cybersecurity risks posed to us by third parties on whom we are reliant for these services at the inception of our engagement, and we annually review third-party firms that pose the greatest risks to our business and operations from cybersecurity threats. Nonetheless, we rely on the third parties we use to implement security programs commensurate with their own risk, and we cannot ensure that their efforts will be successful. Our primary business involves investments in mortgages and mortgage instruments, but we do not perform mortgage servicing, maintain customer accounts, or provide any direct mortgage lending. Nor do we receive personal information on individual mortgage borrowers as part of our regular operations. However, our business is highly dependent on the availability of information systems, and a cybersecurity incident, if one were to occur, could have the potential to disrupt our operations. Please refer to Risks Related to Our Business Operations in Item 1A. Risk Factors of this Form 10-K for a further discussion of the risks posed by cybersecurity threats. Governance and Oversight The Audit Committee of the Board of Directors has responsibility to oversee management s strategy to address risks from cybersecurity threats. The Audit Committee periodically reviews with management the Company s policies, controls, and procedures used to identify, mitigate, and manage cybersecurity risks. To accomplish this objective, we have established processes for reporting cybersecurity risks to the Audit Committee of the Board of Directors on a quarterly basis. This report, which is prepared by our Senior Vice President and Chief Technology Officer, includes performance as against key performance indicators (KPIs) and service level objectives specifically defined to measure the effectiveness of our cybersecurity controls and risk management efforts, current threat landscape, and strategy. In addition, on an annual basis the Company s Senior Vice President and Chief Technology Officer presents to the Audit Committee on cybersecurity matters, including material changes to the Company s information systems, policies and controls, the results of penetration and other testing and findings from any third-party reviews. Our Audit Committee is committed to maintaining a well-informed and cybersecurity-aware posture, regularly engaging by receiving scheduled and requested updates on our strategy to address risks from cybersecurity threats and the evolving threat landscape. The Board of Directors also is appraised of cybersecurity risks as part of its review of management s annual enterprise risk management assessment. Management plays a pivotal role in identifying, assessing, and managing material risks from cybersecurity threats. This involves continuous monitoring, analyzing emerging threats, and the development and implementation of risk mitigation strategies. Led by our Senior Vice President and Chief Technology Officer with over 20 years of cyber and risk management experience, the Company actively implements and enforces cybersecurity policies, procedures, and strategies, including employee training programs, security assessments, and updates to ensure alignment with our evolving threat landscape.

Company Information