REDWOOD TRUST INC 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

REDWOOD TRUST INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:27:35 EST.

Filings

10-K filed on 2024-02-29

REDWOOD TRUST INC filed an 10-K at 2024-02-29 07:27:35 EST
Accession Number: 0000930236-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER RISK MANAGEMENT, STRATEGY, AND GOVERNANCE DISCLOSURES Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical information technology ( IT ) systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan and is one aspect of the overall set of policies, procedures and techniques that we employ at the Company to manage risk. Many of the mechanisms for identifying, managing and reporting on cybersecurity risk are integrated into the Company s broader policies and procedures relating to risk management; however, due to the unique nature of cybersecurity risk, key aspects of our cybersecurity risk management program are intended to function on a stand-alone basis, including to ensure rapid escalation and response to cybersecurity incidents. Our cybersecurity risk management program includes: Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, operations, and our Company s overall IT environment; A team of IT professionals principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) together with our legal/compliance team, our response to cybersecurity incidents; Use of third-party service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls, including, without limitation, periodic penetration testing, network vulnerability and web application scanning, and system monitoring via System Information and Event Management ( SIEM ) or other monitoring tools; Employee and contractor trainings on information security awareness, data privacy awareness, and phishing/social engineering mitigation, as well as periodic tabletop exercises involving IT professionals and executive management to review roles and responsibilities and walk through practical aspects of responding to cybersecurity incidents; A cybersecurity incident response plan that sets forth guidelines, policies and procedures for identification, escalation, containment, investigation, remediation, recovery, notification, legal compliance and related processes and actions in response to a cybersecurity incident; and A risk management process for third-party service providers, suppliers, and vendors, which includes criteria for risk-based categorization of these third parties and policies and procedures relating to assessing their cybersecurity practices prior to engagement and periodic monitoring during the course of engagement. We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Cybersecurity Framework ( NIST CSF ) i.e., we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business, but our use of the NIST CSF as a guide does not mean that we meet the particular technical standards, specifications, or requirements of all of the NIST CSF. We have not currently identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or that we believe are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For additional information about cybersecurity risk, refer to Part II, Item 7 of this Annual Report on Form 10-K generally and under the heading Maintaining cybersecurity and complying with data privacy laws and regulations are important to our business and a breach of our cybersecurity or a violation of data privacy laws could result in serious harm to our reputation and have a material adverse impact on our business and financial results . 61 Cybersecurity Governance As part of its risk oversight function, our Board, including through delegation to its Audit Committee, regularly receives risk management reporting from various officers of the Company responsible for different risk disciplines, including with respect to cybersecurity and IT risk, and oversees management s administration of our cybersecurity risk management program. For example, officers within our IT department provide periodic (generally at least once per quarter) reports from management to the Audit Committee related to cybersecurity, our cybersecurity risk management program and related risks, with copies of these reports also provided to our full Board. These reports supplement materials and presentations from outside experts that are also provided to our Board members from time to time as part of the Board s and Audit Committee s continuing education on risk oversight topics such as cybersecurity that impact companies in our industry and, more generally, publicly-traded companies. In addition, management provides event-driven updates to the Audit Committee and Board regarding any material cybersecurity incidents and, as appropriate, any incidents with lesser impact potential. Under our cybersecurity incident response plan, our Chief Legal Officer is responsible for escalating to the Audit Committee and Board information regarding any material cybersecurity incident. Our management team, including officers within our IT department, is responsible for assessing and managing our material risks from cybersecurity threats. Our IT department has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and the external cybersecurity consultants we retain. The officers and employees of the Company who manage our IT function and our cybersecurity risk management program have significant experience, individually and collectively, and key members of our IT department hold industry certifications, including multiple individuals who are Certified Information System Security Professionals ( CISSP ) and Certified Information Systems Auditors ( CISA ). Overall, we believe we have a team of IT professionals skilled in a range of disciplines related to the design and implementation of our cybersecurity program, as well as in assessing security controls and processes and addressing or remediating emerging threats and findings that are identified. Members of our senior management team supervise our IT function and its efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. In addition to day-to-day management, our senior management team s supervision of these efforts includes receiving and responding to briefings from IT personnel, updates on cyberthreat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and notification of significant alerts and reports produced by third parties and security tools deployed in our IT environment.

Company Information