Walker & Dunlop, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Walker & Dunlop, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:51:38 EST.

Filings

10-K filed on 2024-02-22

Walker & Dunlop, Inc. filed an 10-K at 2024-02-22 16:51:38 EST
Accession Number: 0001558370-24-001538

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is guided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include, but are no limited to the following: risk metrics and self-assessments designed to help identify cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; a security team principally responsible for managing: (1) our cybersecurity risk assessment processes, (2) our cybersecurity controls and processes, and (3) our response to cybersecurity incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity controls and processes; periodic required cybersecurity awareness training of our employees; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a third-party risk management process for key service providers, suppliers, and vendors. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors If we fail to comply with laws, regulations and market standards regarding the privacy, use, and security of customer information, or if we are the target of a successful cyberattack, we may be subject to legal and regulatory actions and our reputation would be harmed. Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee oversight of cybersecurity risks and the steps that management has taken to monitor and control exposure to such risks. The Audit and Risk Committee receives quarterly reports from our Chief Information Security Officer ( CISO ) and our Chief Information Officer on our cybersecurity risks and meets in executive session with our CISO following such reports. In addition, management updates the Audit and Risk Committee, as necessary, regarding significant cybersecurity incidents. 24 Table of Contents The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity. In 2023, the full Board also received a presentation from a third-party expert on cybersecurity risks. Our management team, including our CISO, is responsible for assessing and managing our material risks from cybersecurity threats. In 2023, we established an information technology risk committee comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which committee, in turn, reports regularly to the full Board on its activities. The CISO manages a team of employees, which has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The CISO brings over 30 years of technology, cybersecurity, and risk management experience from the finance and healthcare industries. His work experience includes the design, implementation, and oversight of control and governance frameworks in complex, hybrid-cloud, and data intensive environments operating in highly regulated entities in the financial services and healthcare insurance industries. Our information security management team is informed about and monitors efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our information technology environment.

Company Information