Pagaya Technologies Ltd. 10-K Cybersecurity GRC - 2024-04-25

Page last updated on April 25, 2024

Pagaya Technologies Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-25 08:55:23 EDT.

Filings

10-K filed on 2024-04-25

Pagaya Technologies Ltd. filed an 10-K at 2024-04-25 08:55:23 EDT
Accession Number: 0001883085-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Our information security program is designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and our customer data ( Information Systems and Data ). The information security program is overseen by our Chief Information Security Officer ( CISO ), who manages a team responsible for leading enterprise-wide cybersecurity policy, standards, architecture, and processes. As an organization that has become increasingly interconnected, we have defined a set of cybersecurity principles designed to support the continuous improvement of our overall information security measures, utilizing technology and controls to protect our core assets, infrastructure, Information Systems and Data throughout the entire life cycle of our business. In addition, we are aligned with the SOC 2 Type 2 standard and we are ISO 27001:2013, ISO 27017:2015 & ISO 27018 (2019 certified). Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company s enterprise risk management program and identified in the Company s risk register (2) the CISO works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business and (3) our Technology Risk Committee evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Risk Committee, which evaluates our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example threat intelligence providers, cybersecurity consultants and software providers, managed cybersecurity service providers, penetration testing service providers, dark web monitoring service providers, and forensic investigators. In addition, our third party risk management program manages cybersecurity risks associated with our use of third-party service providers that perform a variety of functions throughout our business, such as software-as-a-service providers, hosting companies, distributors, and supply chain resources. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify associated cybersecurity risks. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including Cyberattacks, security breaches or similar compromise of our information technology systems, or those of third parties upon which we rely, or our data could adversely impact our brand and reputation and our business, operating results and financial condition . Governance Our CISO periodically reports risks from cybersecurity threats to our Chief Executive Officer and other senior management members, as well as to our Board of Directors. The Board s Risk Committee provides oversight of risks from cybersecurity threats, including performing a review of all cybersecurity incidents and risks on a quarterly basis, as well as the processes the 67 Table of Contents Company has implemented to address them. The Risk Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation. Our information security program consists of processes and controls around access control, authorization, auditing, and monitoring, and is supported by our cyber security tech ecosystem, all of which is designed to protect our business flows and Information Systems and Data. Our cyber governance program is led by our CISO, who has more than 20 years of experience in the cyber security field, working for different enterprise organizations, holding multiple patents in the field and has vast knowledge and proven experience in both the technology and risk management domain of cybersecurity. Our CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our CISO is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident processes are designed to escalate material cybersecurity incidents to members of the executive team depending on the circumstances, who will then work with our incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified, in addition to notifying the Risk Committee, as appropriate.

Company Information