Angel Oak Mortgage REIT, Inc. 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Angel Oak Mortgage REIT, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 16:40:22 EDT.

Filings

10-K filed on 2024-03-15

Angel Oak Mortgage REIT, Inc. filed an 10-K at 2024-03-15 16:40:22 EDT
Accession Number: 0001766478-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Angel Oak Capital, an affiliate of our Manager, has engaged a third-party managed information technology service provider (the IT Service Provider ), to serve as Angel Oak Capital s dedicated information technology manager. We have no employees and are externally managed by our Manager, an affiliate of Angel Oak Capital, and as such rely on our Manager for the implementation and execution of our risk management program, and, as it pertains to the assessment, identification, and management of material risks from cybersecurity threats, our Manager relies on the IT Servicer Provider. As an affiliate of Angel Oak Capital, our Manager is subject to and participates in the cybersecurity policies and procedures of Angel Oak Capital. The IT Service Provider provides Angel Oak Capital a system and organization controls report on itself consistent with SOC 2 as part of annual reviews of the IT Service Provider. As part of its overall enterprise risk management program, Angel Oak Capital has developed an information security framework (the Cybersecurity Program ). The purpose of the Cybersecurity Program is to mitigate the risks associated with unauthorized attempts to access Angel Oak Capital s (including our) network for unintended purposes. The Cybersecurity Program is used to assess and understand risks involving information systems and to provide controls and procedures for mitigating those risks and promptly responding to cybersecurity threats and incidents. The IT Service Provider has implemented processes and procedures to assess, identify, manage and protect against material risks from cybersecurity threats including 24/7 network monitoring, ongoing vulnerability and penetration assessments, and employee security awareness training. The IT Service Provider provides Angel Oak Capital with regularly scheduled status reports, including summaries of vulnerabilities, any cybersecurity threats or incidents and the status of responses, and meets with Angel Oak Capital s Chief Operating Officer and Angel Oak Capital s Head of Information Technology (the Head of IT ) on a regular basis to review the reports and the IT Service Provider s services. In addition, the IT Service Provider and Angel Oak Capital have established a notification and escalation framework, based on the severity of a cybersecurity threat or incident, to determine when and to whom the IT Service Provider will provide 51 notifications regarding cybersecurity threats or incidents. The framework includes notification to the Head of IT. Depending on their nature, incidents may also be reported to members of our management, the Audit Committee of our Board of Directors and to our full Board of Directors, as appropriate. In addition to its engagement of the IT Service Provider, we and/or Angel Oak Capital may engage other third parties, including auditors and consultants, to perform assessments or audits of our and/or its cybersecurity policies and procedures and/or to assist with the evaluation of a cybersecurity threat or incident, among other matters. As of the date of this filing, we have not experienced any risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. However, future threats or incidents could have a material impact on our business strategy, results of operations or financial condition. For a discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see Item 1A. Risk Factors Risks Related to Our Company Maintaining cybersecurity and data security is important to our business and a breach of our cybersecurity or data security could result in serious harm to our reputation and have a material adverse impact on our business and financial results and We are highly dependent on information systems, and system failures could significantly disrupt our business, which may, in turn, have a material adverse effect on us. We maintain a cybersecurity insurance policy to mitigate risks associated with cybersecurity incidents. Governance Our Board of Directors holds oversight responsibility over our risk management process, including material risks related to cybersecurity threats. Our Board of Directors administers this oversight function through its committees, including the Audit Committee and the Affiliated Transactions and Risk Committee. A key part of the Audit Committee s responsibility is overseeing the cybersecurity program. Certain representatives of Angel Oak Capital, including our Manager, periodically report to the Audit Committee as well as to the full Board of Directors, as appropriate, on cybersecurity matters, primarily through presentations by the Head of IT. Such reporting includes updates on the Cybersecurity Program as it impacts us, the reports and services provided by the IT Service Provider, the external threat environment, risk management strategies and any cybersecurity threats or incidents. Presentations to the Audit Committee or the full Board of Directors may also be provided from time to time by the IT Service Provider or another third party firm providing cybersecurity-related services for us or Angel Oak Capital, including our Manager, as deemed necessary or appropriate. The Audit Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. In addition, the Cybersecurity Program provides for the notification and escalation of identified cybersecurity threats and incidents, with different severity thresholds triggering notification to different recipient groups, including, as appropriate, to members of our management, the Audit Committee and to our full Board of Directors. In the event we or Angel Oak Capital, including our Manager, experiences a cybersecurity incident that materially affects, or is reasonably likely to materially affect, us, members of our management and of our Manager would review the incident with the Audit Committee to consider whether and to what extent disclosure would be required under Item 1.05 of Form 8-K.

Company Information