TWO HARBORS INVESTMENT CORP. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

TWO HARBORS INVESTMENT CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:41:14 EST.

Filings

10-K filed on 2025-02-18

TWO HARBORS INVESTMENT CORP. filed a 10-K at 2025-02-18 16:41:14 EST
Accession Number: 0001465740-25-000083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our business is highly dependent on information technology. In the ordinary course of our business, we store sensitive data, including our proprietary business information and that of our business partners, and non-public personally identifiable information of mortgage borrowers, on our networks. The secure maintenance, processing and transmission of this information is critical to our operations. Computer malware, viruses, ransomware and phishing attacks remain widespread and are increasingly sophisticated. We are frequently the target of attempted cyber threats, as are many other organizations within the financial servicing industry. We continuously monitor and develop our information technology networks and infrastructure to help prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses, and other events that could have a security impact. Despite these security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance or other disruptions. Any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Such access, disclosure or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties, disruption to our operations or trading activities or damage to our reputation, all of which could have a material adverse effect on our business, results of operations and financial condition. For additional information on these risks, see Item 1A, " Risk Factors " of this Annual Report on Form 10-K. We recognize the importance of protecting our information and our information technology systems, and assessing, identifying and managing cybersecurity-related risks have been integrated into our risk management processes. We focus on information technology and cybersecurity measures at both an enterprise-wide operational level and an individual employee level. We have in place various methods and levels of information technology and cybersecurity measures which are aimed at protecting our information and information technology systems to help secure long-term value for our stockholders and other stakeholders. By way of example, these measures include the following: - industry standard targeted controls and security frameworks, including the National Institute of Standards and Technology (NIST), to protect our environment, including antivirus, antimalware, multi-factor authentication, complex and regularly changed passwords, patch management, email security and firewalls to protect our assets and our ability to maintain operations; - use of technologies to help detect, identify and manage risks within our environments, including endpoint detect and response, security information and event management and vulnerability management; - a formal cybersecurity incident response plan designed to respond to security incidents in a systematic and complete manner, and involves senior executives, external technical, legal and other resources, including an incident response retainer with our third-party security operations center; - regularly monitoring and assessing our cybersecurity programs using external parties including a third-party 24/7 security operations center and by conducting periodic cyber maturity and risk assessments, penetration tests and other targeted controls assessments ; - central systems backup processes and associated disaster recovery plans; - membership in an information sharing and analysis center and other industry groups so that we may stay informed about challenges specific to the financial services industry and contribute to the overall cybersecurity community; and - employee training and awareness programs addressing cybersecurity and data privacy challenges we face in our industry . Our board of directors is responsible for overseeing matters relating to our information technology and cybersecurity risk exposures and the steps our Company takes to monitor and mitigate these risks . The board is briefed semi-annually or as needed by senior management and the Chief Information Security Officer, or CISO , on cybersecurity matters, or more frequently as the circumstances require. To assist the board, we also have established a security and privacy steering committee comprised of members of senior management, including our CISO and our Chief Technology Officer , to oversee data privacy, information technology, and cybersecurity matters. Our CISO has extensive information technology and program management experience, has served in this role for the Company since 2019 and has supported the Company’s information security function since 2015 . To date, we believe that the risks from identified cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.


Company Information

NameTWO HARBORS INVESTMENT CORP.
CIK0001465740
SIC DescriptionReal Estate Investment Trusts
TickerTWO - NYSETWO-PC - NYSETWO-PB - NYSETWO-PA - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30