ALTISOURCE PORTFOLIO SOLUTIONS S.A. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

ALTISOURCE PORTFOLIO SOLUTIONS S.A. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 07:08:34 EST.

Filings

10-K filed on 2026-03-04

ALTISOURCE PORTFOLIO SOLUTIONS S.A. filed a 10-K at 2026-03-04 07:08:34 EST
Accession Number: 0001462418-26-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Board of Directors is responsible for the Company's risk management strategy and overseeing the Company's risk management program, of which cybersecurity is a critical element. The Chief Strategy and Technology Officer ("CSTO") and the Chief Information Security Officer ("CISO") are responsible for designing, implementing and administering the Company's cybersecurity risk management policies, processes and practices, business continuity planning and disaster recovery functions and activities. The CSTO and CISO meet on a quarterly basis with other members of management as the Technology and Information Security Committee ("TIS Committee") to review the Company's cybersecurity risk management, business continuity planning and disaster recovery strategy and performance. The Company's cybersecurity policies, standards, processes, and practices are generally based on recognized frameworks established by the National Institute of Standards and Technology ("NIST"), the International Organization for Standardization ("ISO"), applicable industry standards, and applicable data privacy and cybersecurity regulations. Annual technology and cybersecurity risk assessments are conducted to identify and evaluate applicable risks and controls designed to address such risks. In general, the Company seeks to identify, assess and manage material cybersecurity risks through a company-wide approach addressing the confidentiality, integrity, and availability of the Company's information systems and the information that the Company collects and processes. Cybersecurity Risk Management and Strategy The Company's cybersecurity risk management strategy focuses on several areas: - Identification and Reporting: The Company strives to have controls and procedures reasonably designed to identify, assess, manage and respond to cybersecurity threats and incidents, including fulfilling potential public disclosure or reporting requirements as may be applicable. - Technical Safeguards: The Company strives to implement and maintain technical safeguards designed to protect the Company's information systems and data from cybersecurity threats, including perimeter and web application firewalls, proxy, intrusion prevention and detection systems, anti-malware, endpoint detection response functionality, data loss prevention systems, security incident event management, geo-blocking and access controls. Such safeguards are generally evaluated through internal security testing, third party penetration testing and vulnerability assessments, as well as outside audits and certifications, and revised as warranted. The Company seeks to comply with the cybersecurity framework guidelines issued by the NIST and ISO. - Independent Assessments: The Company engages independent third-party service providers to support and enhance its cybersecurity risk management program. These third parties perform periodic security testing, assessments, and reviews designed to evaluate the effectiveness of the Company's security controls and identify potential vulnerabilities. Such activities include: (i) vulnerability assessments and penetration testing of web applications, infrastructure, and select mobile environments conducted using industry-recognized methodologies; (ii) the use of an independent certification body to conduct ISO-based assessments and certifications of the Company's information security management program; (iii) testing of information technology general controls by an external audit firm as part of the Company's Sarbanes-Oxley ("SOX") compliance program; (iv) periodic reviews conducted by the Company's cybersecurity insurance provider in connection with underwriting and renewal processes; and (v) independent 29 Table of Content cybersecurity testing and assessments performed by certain clients as part of their vendor risk management and regulatory oversight processes. Management reviews the results of these third-party activities and incorporates relevant findings into its ongoing cybersecurity risk management efforts. - Education and Awareness: The Company provides periodic, training for all levels of employees regarding information security, cybersecurity threats, business continuity planning and disaster recovery in an effort to equip Company employees with tools to address cybersecurity threats, and to communicate the Company's evolving information security policies, standards, processes and practices. - Incident Response and Recovery Planning: The Company's Security Operations Center ("SOC"), reporting to the CISO, strives to provide 24x7 incident monitoring. If an incident occurs which SOC determines qualifies as a "critical risk" according to predetermined criteria, Company policy requires the SOC to engage an incident management team to assist with evaluating, responding to and managing the response of the incident. The Company has established and seeks to maintain comprehensive incident identification, containment, response and business continuity plans designed to respond to potential cybersecurity incidents. The Company strives to conduct periodic drills and tabletop exercises to test its procedure. - Third-Party Risk Management: The Company strives to conduct initial and periodic risk evaluations of vendors meeting predefined criteria for heightened cybersecurity risk, based on their access to or provision of critical information systems or data. The Company strives to conduct periodic assessments of the Company's policies, standards, processes and practices. Summary results of such assessments are evaluated by the CISO to assist the Company in adjusting its cybersecurity policies, standards, processes and practices; the CISO reviews critical results with the TIS Committee. There can be no assurance that these risks management strategies and assessments will be effective. Governance The Company maintains a formal cybersecurity governance structure. The SOC monitors the Company's information systems on an ongoing basis and escalates identified threats and incidents to CISO . The Company maintains a cross-functional incident response team composed of representatives from the following departments: Information Security, Information Technology, Law and Compliance, and Enterprise Risk. Significant cybersecurity incidents and risks are escalated to management through the TIS Committee. The Board of Directors receives quarterly updates regarding cybersecurity risk management, threat landscape developments, and mitigation efforts. In the event of a material cybersecurity incident, the Board would be notified and would receive updates regarding investigation status, impact assessment, and remediation activities. The Company conducts periodic incident response drills and tabletop exercises to test its incident response procedures, business continuity plans, crisis management processes, and management preparedness in the event of a significant cybersecurity incident. The CISO has served in various roles in information technology, information security, and business continuity for over 20 years. The CISO holds undergraduate and graduate degrees in Information Systems Management and has attained the professional certification of Certified Information Security Manager from the Information Systems Audit and Control Association. Material Effects of Cybersecurity Incidents Past cybersecurity incidents have not had, and are not reasonably expected to have, a material impact on the Company's business strategy, operations, or financial condition.

Company Information