Ellington Financial Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Ellington Financial Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:42:12 EST.

Filings

10-K filed on 2024-02-29

Ellington Financial Inc. filed an 10-K at 2024-02-29 16:42:12 EST
Accession Number: 0001411342-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As discussed further in “Item 1. Business Our Manager and Ellington,” we are externally managed and advised by our Manager, an affiliate of Ellington. Our Manager does not have any employees and instead relies on the employees of Ellington to fulfill its obligations to us pursuant to a services agreement. Other than with respect to our majority-owned subsidiary Longbridge’s operations, we rely on Ellington s information systems in conducting our day-to-day operations. As such, we also rely on Ellington s processes for assessing, identifying, and managing material risks from cybersecurity threats. Ellington s cybersecurity processes and practices are integrated into Ellington s risk management and oversight program. In general, Ellington seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Ellington collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur. Longbridge s cybersecurity processes and practices are integrated into Longbridge s operational risk oversight program. In general, Longbridge also seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Longbridge collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur. Longbridge had over 400 employees as of December 31, 2023. Ellington’s Risk Management and Strategy Ellington s cybersecurity program is focused on the following key areas: Governance : As discussed in more detail below under “Governance, our Board of Directors oversight of cybersecurity risk management is supported by the Audit Committee of our Board of Directors (the Audit Committee ), which regularly interacts with our management team and other professionals who are responsible for assessing and managing material risks from cybersecurity threats at Ellington. Collaborative Approach : Ellington has implemented a cross-functional approach to identifying and evaluating, preventing, mitigating and remediating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents. Such escalation allows Ellington to make timely decisions regarding its response to such incidents and whether disclosure to senior management, our Audit Committee and/or the public is appropriate. Technical Safeguards : Ellington deploys technical safeguards that are designed to protect information systems from cybersecurity threats. These systems cover many facets of cyber security including identity protection, anti-virus and anti-malware defense, data loss prevention, endpoint protection (including managed detection and response services), patch and vulnerability management and others. Ellington regularly evaluates new technologies as the cyber security landscape evolves. Incident Response and Recovery Planning : Ellington has established and maintains incident response and recovery plans that we believe properly address the response to a cybersecurity incident or other business disruption. To the extent feasible, such plans are tested and evaluated on a regular basis. Third-Party Risk Management : Ellington follows a risk-based approach to identifying and overseeing cybersecurity risks presented by third-parties, including vendors, service providers and other external users of Ellington s systems, as well as the systems of third-parties that could adversely impact Ellington s business in the event of a cybersecurity incident affecting their systems. Third-party service providers are regularly evaluated by Ellington to assess their cyber security posture and general information technology practices to determine if they are suitable partners; where applicable, relevant certifications are obtained such as SOC 2 or ISO 27001. Education and Awareness : Ellington: (i) provides regular, mandatory cyber security training to all personnel to equip them with tools to identify and address cybersecurity threats; (ii) communicates evolving information security policies, standards, processes and practices to employees via email; (iii) delivers additional training to all users who have access to personally identifiable information on Ellington s processes for handling such information; and (iv) conducts regular, monthly phishing tests to assess user alertness, and retains a separate external cybersecurity vendor to conduct similar tests on an annual basis. Ellington’s technology team assesses the firm s cybersecurity and infrastructure postures regularly with two separate working groups one group, meeting weekly, focused on IT implementation and one group, meeting bi-weekly, focused on engineering integration. Both groups include senior members of the technology team. These meetings cover a broad range of topics including implementation planning for the deployment of new hardware and software, patch and vulnerability management, considerations for disaster recovery and business continuity, user access controls, data security and more. In such continued monitoring of its cybersecurity posture, Ellington conducts continuous depreciation of obsolete or unsuitable technology, including legacy hardware and software, has a robust patch and vulnerability management process, and has 71 Table of Content s personnel dedicated to the continued monitoring of new developments in threat actors activities in order to take preventative actions. Ellington also regularly engages third parties to perform assessments of Ellington s cybersecurity posture, including penetration testing, user access control reviews and independent reviews of Ellington s information security control environment, and operating effectiveness. The results of such assessments, tests and reviews are reported to the Audit Committee and our Board of Directors, and Ellington adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, tests and reviews, including the implementation of new software and technologies. To date, no risks from cybersecurity threats to Ellington have materially affected or are reasonably likely to materially affect the Company. While Ellington did experience two business email compromise incidents in recent years, neither had a material impact on our business strategy, results of operations or financial condition. Longbridge’s Risk Management and Strategy Longbridge s cybersecurity program is focused on the following key areas: Governance : As discussed in more detail below under “Governance, our Board of Directors oversight of cybersecurity risk management is completed through the Audit Committee, which regularly interacts with both our and Longbridge’s management teams who are responsible for assessing and managing material risks from cybersecurity threats at Longbridge. Collaborative Approach : Longbridge has implemented a cross-functional approach to identifying and evaluating, preventing, mitigating and remediating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents. Such escalation allows us to make decisions regarding its response to such incidents and whether disclosure to senior management, our Audit Committee and/or the public is appropriate. Technical Safeguards : Longbridge deploys technical safeguards that are designed to protect information systems from cybersecurity threats. These systems cover many facets of cyber security such as anti-virus and anti-malware defense, data loss prevention, endpoint protection (including managed detection and response services), patch and vulnerability management and others. Longbridge continuously evaluates new technologies as the cyber security landscape evolves. Incident Response and Recovery Planning : Longbridge has established and maintains incident response and recovery plans that we believe properly address the response to a cybersecurity incident or other business disruption. To the extent feasible such business disruption plans are tested and evaluated on a regular basis. Third-Party Risk Management : Longbridge maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of Longbridge s systems, as well as the systems of third-parties that could adversely impact Longbridge s business in the event of a cybersecurity incident affecting their systems. Third-party service providers are regularly evaluated by Longbridge to assess their cyber security posture and general information technology practices to determine if they are suitable partners; where applicable, relevant certifications are obtained such as SOC 2 or ISO 27001. Education and Awareness : Longbridge: (i) provides regular, mandatory cyber security training to all personnel to equip them with tools to identify and address cybersecurity threats; (ii) communicates evolving information security policies, standards, processes and practices to employees via a variety of communication methods; and (iii) conducts phishing tests to assess user alertness, and retains an external cybersecurity vendor to conduct similar tests on an annual basis. Longbridge’s technology team, and its operational risk management group, perform regular assessments of the firm s cybersecurity and infrastructure posture. These reviews cover a broad range of topics including implementation planning for the deployment of new hardware and software, patch and vulnerability management, considerations for disaster recovery and business continuity, user access controls, data security and Longbridge s threat monitoring services. In such continued maintenance of its cybersecurity posture, Longbridge conducts continuous depreciation of obsolete or unsuitable technology, including legacy hardware and software, has a robust patch and vulnerability management process, and has an external firm dedicated to the continued monitoring of new developments in threat actors activities in order to take preventative actions. Longbridge also regularly engages third parties to perform assessments of its cybersecurity posture, including cyber risk assessments, penetration testing, user access control reviews and independent reviews of Longbridge s information security control environment and operating effectiveness. The results of such assessments, tests and reviews are reported to our Audit Committee and Board of Directors, and Longbridge adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, tests and reviews, including the implementation of new software and technologies. 72 Table of Content s To date, no risks from cybersecurity threats from Longbridge have materially affected or are reasonably likely to materially affect our Company. Governance Our Board of Directors, through the Audit Committee, oversees our cybersecurity risk management process. Our Audit Committee receives regular presentations and reports on cybersecurity risks at both Ellington and Longbridge, each of which addresses a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Each of Ellington and Longbridge employ internal or external resources whose responsibilities include oversight of their respective firm s cybersecurity posture. Ellington’s cybersecurity team is lead by Ellington’s outsourced Chief Technology Officer (the “CTO”), who is primarily responsible for assessing and managing material risks from cybersecurity threats to Ellington. The CTO has extensive experience in application development, database architecture, systems design, and third-party software integration. During his tenure at Ellington, the CTO has lead large technical efforts such as the development of Ellington s proprietary whole loan management system and the overhaul of Ellington s engineering infrastructure and development services. The CTO works closely with Ellington s head of Data Platform and Infrastructure (the “DPI Head”) to manage Ellington s infrastructure and cybersecurity posture. During his tenure at Ellington, the DPI Head has lead several critical efforts such as the revitalization of Ellington s hardware, networking and disaster recovery facilities, major improvements to Ellington s cybersecurity infrastructure, and the development and maintenance of Ellington s Data Engineering infrastructure. Ellington s Senior Systems Administrator (the “SSA”) works closely with both the CTO and the DPI Head to implement Ellington s cybersecurity program and infrastructure. The SSA is responsible for all systems and telecommunication design and implementation, with a focus on cybersecurity. The SSA ensures that Ellington’s systems are secure and resilient against cyber threats. Prior to joining Ellington in 1997, the SSA was a Senior PC Technical Support at Bear Stearns for seven years. The CTO, after consultation with others, including the DPI Head and the SSA, regularly provides an assessment of Ellington s cybersecurity posture and reviews Ellington s information technology roadmap with the Audit Committee. The CTO’s reports cover a range of topics including, at various times, a discussion of the primary cybersecurity risks facing Ellington, an overview of Ellington s cybersecurity program, common attack vectors and types, the primary functions of Ellington s cybersecurity program, how Ellington s cybersecurity programs are applied to critical cybersecurity areas, any recent cybersecurity incidents, Ellington s ongoing focus areas in its cybersecurity program, Ellington s employee education program, management of patches and system vulnerabilities, various threat detection methods, malicious activity monitoring, any new cybersecurity focus areas for Ellington, a review of Ellington s key technologies, Ellington s incident response procedures and Ellington s backup systems and redundancy and disaster recovery processes. Longbridge’s cybersecurity risk management and strategy is co-led by its Chief Operating Officer (“COO”) and its Vice President of Information Technology (“VP of IT”). Longbridge’s COO has extensive leadership experience with enterprise information technology in the mortgage banking industry, where he has held various executive roles, including Chief Privacy Officer and Chief Information Officer. Longbridge’s COO has developed and executed IT strategy, including cybersecurity programs, and helped achieve and maintain Sarbanes-Oxley compliance and SOC-2 certification. Longbridge’s VP of IT has extensive leadership experience with enterprise information technology, both in the banking and manufacturing industries. She has also developed and executed IT strategy, including cybersecurity programs and helped achieve and maintain Sarbanes-Oxley compliance. Longbridge’s COO, accompanied by its VP of IT, regularly discusses Longbridge s cybersecurity risks and posture, and its information technology roadmap, with the Audit Committee. In these reviews, Longbridge’s COO informs the Audit Committee of what Longbridge believes are the key focus items of Longbridge in its cybersecurity program and the COO and VP of IT provide an overview of their views of emerging threats, and any significant cyber response activities or incidents.

Company Information