AG Mortgage Investment Trust, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

AG Mortgage Investment Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 08:31:16 EDT.

Filings

10-K filed on 2024-03-11

AG Mortgage Investment Trust, Inc. filed an 10-K at 2024-03-11 08:31:16 EDT
Accession Number: 0001514281-24-000033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company s business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of TPG Inc. ( TPG ), a leading global alternative asset management firm. We, in conjunction with our Manager and its affiliates, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. These processes include responses to and assessments of internal and external threats to the security, confidentiality, integrity and availability of the Company s data and systems along with other material risks to its operations, at least annually or whenever there are material changes to our systems or operations. As part of the risk management process, TPG engages outside providers to conduct periodic internal and external penetration testing. TPG has informed us that it uses NIST Cybersecurity Framework and CIS Critical Security Controls as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. This does not imply that TPG, its affiliates or we meet any particular technical standards, specifications, or requirements. TPG stores data, including the Company’s data, in cloud environments with security that we believe is appropriate for the data involved and has adopted controls around, among other things, vendor risk assessment, access and acceptable use and backup and recovery. The Company utilizes certain third-party service providers to perform a variety of functions in the operation of its business. TPG has processes to oversee and identify material risks associated with the use of third-party service providers, taking into account the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to Item 1A. Risk Factors in this Annual Report on Form 10-K, including Risks Related to our Company, Business, and Operations Cybersecurity risks may cause a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our business. , for additional discussion about cybersecurity-related risks. Governance Our Board of Directors holds oversight responsibility over the Company s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. The Board regularly engages in discussions with management regarding the Company’s risk assessment and risk management policies. In addition, the Audit Committee of our Board of Directors (the Audit Committee ) oversees the 49 management of systemic risks, including cybersecurity, in accordance with its charter. The Audit Committee engages in regular discussions with management regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks. Our Board of Directors, including the Audit Committee, is briefed on our Manager s information security program and cybersecurity risks at least once each year and as needed in connection with any potentially material cybersecurity incidents. The Chief Information Security Officer reports at least annually to our Board of Directors, including the Audit Committee, and such report may address overall assessment of the Company s compliance with this and other cybersecurity policies, including topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. As an externally managed company, we rely on our Manager and its affiliates information systems in connection with our day-to-day operations. Consequently, we also rely on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by TPG. TPG has established an Enterprise Risk Committee ( ERC ) to manage overall risk across the organization including cybersecurity risks identified by TPG’s cybersecurity team the ERC includes representatives from relevant functions and is led by TPG s Chief Executive Officer. TPG has also established an Operational Risk Committee ( ORC ) responsible for applying the policy decisions of the ERC. Operational responsibility for ensuring the adequacy and effectiveness of our Manager’s risk management, control and governance processes is assigned to TPG s Chief Information Security Officer, who periodically reports, among others, potentially material cybersecurity incidents to the ORC and, in coordination with the Chief Information Officer and Head of Operations, reports to the ERC at least annually. The Chief Information Security Officer leads TPG s cybersecurity team, which includes individuals dedicated to incident detection and response. This team is responsible for identifying threats that can impact the organization, including the Company, and designing controls to mitigate vulnerabilities before they are exploited and to detect and neutralize any threats that do materialize. The Chief Information Security Officer and Chief Information Officer each have more than 20 years of experience in their fields. The Chief Information Security Officer and senior members of the cybersecurity team hold industry standard certifications.

Company Information