ALTISOURCE PORTFOLIO SOLUTIONS S.A. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

ALTISOURCE PORTFOLIO SOLUTIONS S.A. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 07:03:50 EST.

Filings

10-K filed on 2024-03-07

ALTISOURCE PORTFOLIO SOLUTIONS S.A. filed an 10-K at 2024-03-07 07:03:50 EST
Accession Number: 0001462418-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Board of Directors is responsible for the Company s risk management strategy and overseeing the Company s risk management program, of which cybersecurity is a critical element. The Chief Strategy and Technology Officer ( CSTO ) and the Chief Information Security Officer ( CISO ) are responsible for designing, implementing and administering the Company s cybersecurity risk management policies, processes and practices, business continuity planning and disaster recovery functions and activities. The CSTO and CISO meet on a quarterly basis with other members of Management as the Technology and Information Security Committee ( TIS Committee ) to review the Company s cybersecurity risk management, business continuity planning and disaster recovery strategy and performance. The Company s cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization ( ISO ), applicable industry standards, and applicable data privacy and cybersecurity regulations. Annual technology and cybersecurity risk assessments are conducted to identify and evaluate applicable risks and controls designed to address such risks. In general, the Company seeks to identify, assess and manage material cybersecurity risks through a company-wide approach addressing the confidentiality, integrity, and availability of the Company s information systems and the information that the Company collects and processes. Cybersecurity Risk Management and Strategy The Company s cybersecurity risk management strategy focuses on several areas: Identification and Reporting: The Company has controls and procedures designed to identify, assess, manage and respond to cybersecurity threats and incidents, including fulfilling potential public disclosure or reporting requirements as may be applicable. 28 Table of Contents Technical Safeguards: The Company implements and maintains technical safeguards designed to protect the Company s information systems and data from cybersecurity threats, including perimeter and web application firewalls, proxy, intrusion prevention and detection systems, anti-malware, endpoint detection response functionality, data loss prevention systems, security incident event management, geo-blocking and access controls. Such safeguards are generally evaluated through internal security testing, third party penetration testing and vulnerability assessments, as well as outside audits and certifications, and revised as warranted. The Company seeks to comply with the cybersecurity framework guidelines issued by the NIST and ISO. Education and Awareness: The Company provides periodic, mandatory training for all levels of employees regarding information security, cybersecurity threats, business continuity planning and disaster recovery to equip Company employees with tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. Incident Response and Recovery Planning: The Company s Security Operations Center ( SOC ), reporting to the CISO, provides 24x7 incident monitoring. If an incident occurs which SOC determines qualifies as a critical risk according to predetermined criteria, the SOC engages an incident management team to assist with evaluating, responding to and managing the response of the incident. The Company has established and maintains comprehensive incident identification, containment, response and business continuity plans designed to respond to potential cybersecurity incidents. The Company conducts periodic drills and tabletop exercises to test these. Third-Party Risk Management: The Company conducts initial, and on a periodic basis, subsequent risk evaluations of vendors that satisfy certain preestablished criteria classifying such vendors as presenting higher potential cybersecurity risks based upon vendor access to or provision of information systems or data to the Company that present significant potential risks. The Company conducts periodic assessments of the Company s policies, standards, processes and practices. Summary results of such assessments are evaluated by the CISO to assist the Company in adjusting its cybersecurity policies, standards, processes and practices; the CISO reviews critical results with the TIS Committee. Governance The Board of Directors oversees the Company s risk management program, including the management of cybersecurity threats. The Board of Directors receives regular reports from the CTSO on cybersecurity threats and the Company s strategy to manage the risks associated with such threats. The TIS Committee provides Management oversight of the Company s cybersecurity risk management, business continuity planning and disaster recovery strategy and performance. To facilitate the success of the Company s cybersecurity program, cross-functional teams work with the CISO and SOC to address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and Management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Board of Directors, as appropriate. The CISO has served in various roles in information technology, information security, and business continuity for over 20 years. The CISO holds undergraduate and graduate degrees in Information Systems Management and has attained the professional certification of Certified Information Security Manager from the Information Systems Audit and Control Association. Material Effects of Cybersecurity Incidents Previous cybersecurity incidents did not have, and are not reasonably likely to have, a material effect on the Company, including its business strategy, results of operations, or financial condition.

Company Information