Cherry Hill Mortgage Investment Corp 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Cherry Hill Mortgage Investment Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:16:04 EST.

Filings

10-K filed on 2024-03-07

Cherry Hill Mortgage Investment Corp filed an 10-K at 2024-03-07 16:16:04 EST
Accession Number: 0001140361-24-011952

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s information security program is designed to protect the security, confidentiality, integrity and availability of the Company s sensitive and personal information and client information. Employing a risk-based approach, the program systematically identifies, assesses and implements safeguards that seek to mitigate cybersecurity threats and secure the Company s information assets, including those of our sub-servicers. The program is informed by the National Institute of Standards and Technology Cybersecurity Framework and is shaped by the legal requirements derived from authoritative sources such as the Gramm-Leach-Bliley Act and its implementing regulations and guidelines, as well as Freddie Mac s mandates from the office of Federal Housing Enterprise Oversight. Additionally, the program is guided by relevant state laws and regulations. Periodically, the Company, as it reasonably deems necessary, will identify and categorize potential cybersecurity threats and vulnerabilities, determine acceptable risk tolerance for each such threat and vulnerability and implement adequate mitigation controls. At the senior executive level, the Chief Financial Officer ( CFO ) is entrusted with the day-to-day oversight of the program s development, implementation, and maintenance. To help facilitate Company-wide compliance with the plan, the Company, as well as its subservicers, provide ongoing training to the appropriate employees. 42 Table of Contents The CFO is responsible for ensuring that the board of directors comprehends the Company s risk profile and receives periodic updates on the program and its policies. Our current CFO is Michael Hutchby. Mr. Hutchby has a B.A. in Economics from The Johns Hopkins University and an M.B.A. from the Stern School of Business at New York University. Mr. Hutchby was appointed the Company’s CFO, Treasurer and Secretary in June 2019 and previously served as the Company’s Controller from October 2013 to June 2019. As mentioned above, the CFO is responsible for the initial assessment and management of potential incidents. Furthermore, the Company has established a response plan that serves as the foundation for addressing unauthorized cybersecurity occurrences from both a technical and regulatory perspective. The Cybersecurity Response Team ( CRT ), comprised of the CFO, Manager of Information Technology ( MIT ) and other personnel, as each may designate, are responsible for leading all incident management and response activities. The MIT assumes a crucial role in overseeing and managing the technical facets of the CRT while the CFO provides strategic direction and decision-making, facilitating communication with other members of senior management, and disseminating pertinent information to the board of directors. In conjunction with the aforementioned plans, the Company conducts an annual business impact analysis to identify the critical business functions that are required by the Company to sustain business operations and potential impacts to the Company if any those critical functions are disrupted. Deriving from the analysis, the Company maintains a business continuity and disaster recovery plan to coordinate business recovery to resume any disrupted critical business operations. In the event of a critical cybersecurity business disruption, the President of the Company may activate the business continuity plan to implement risk-based strategies devised to maintain business continuity against distributed denial of service attacks or malware. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. Please refer to Item 1A. Risk Factors Risks Related to Our Business We are highly dependent on information systems and third parties, and systems failures or cybersecurity incidents could disrupt our business .

Company Information