CHIMERA INVESTMENT CORP 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

CHIMERA INVESTMENT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:59:38 EST.

Filings

10-K filed on 2025-02-19

CHIMERA INVESTMENT CORP filed a 10-K at 2025-02-19 16:59:38 EST
Accession Number: 0001628280-25-006426

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have a risk management process and strategy in place for assessing, identifying, and managing material risks from cybersecurity threats. Our cybersecurity risk management framework is closely aligned with the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework (“CSF”) and is incorporated into our enterprise risk management process, information systems, vendor engagement process and employee training programs. We focus on people, processes and technology to build a defensive posture against cybersecurity threats that minimizes disruption to our business while maximizing the security and resiliency of the organization. We believe that one of the first lines of defense against cybersecurity threats is our employees. Accordingly, we require all new employees to complete cybersecurity training. In addition, we provide quarterly cybersecurity training to existing employees, conduct simulated phishing tests, and perform security awareness proficiency assessments to create more effective and targeted training campaigns to strengthen the human firewall. We also require our employees to annually re-affirm adherence to company-wide IT and related policies designed to protect our information and communications systems. As part of our cybersecurity risk management process, we also conduct third-party led tabletop exercises to practice and prepare to respond to a confirmed or suspected security incident and to highlight any areas for potential improvement. We also maintain policies, procedures and governance structures designed to help us identify, assess and respond to cybersecurity risks. We have a written cybersecurity framework that closely aligns with the NIST’s CSF. In addition, we maintain a cyber incident response plan to facilitate our response to cybersecurity incidents and formed an Incident Response Team composed of the Chief Information Security Officer & Head of IT Infrastructure (“CISO”), the Chief Credit & Risk Officer, the Chief Legal Officer, the Head of Operations, the Chief Compliance Officer of the RIA, the Head of Data Science, and the Associate General Counsel. The foregoing officers also include within their working teams, non-management employees who are best positioned to identify, assess, respond to and galvanize both internal and third-party resources necessary in the event of a cybersecurity incident. We test the resiliency of our systems through penetration and disaster recovery tests to continually improve our business continuity plan against an ever-changing threat landscape, create redundancies where appropriate for the protection of the Company’s assets, have engaged a security operations center to provide 24/7 monitoring of our environment to detect and respond to suspicious activities in the network, and have cybersecurity insurance. We periodically perform an independent third-party cybersecurity maturity assessment of our systems, policies and procedures focused on the NIST’s CSF and the SEC’s Office of Compliance Inspections and Examinations cybersecurity guidance. We have also implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers, including requiring key service providers to provide evidence that their systems meet appropriate cybersecurity requirements. We collaborate with service providers to help assess the sufficiency of their cybersecurity measures and require service providers to notify us promptly of cyber incidents that may affect our systems or data. 37 Lastly, we use technology to minimize our exposure to cybersecurity vulnerabilities and promote a safe information and communications systems environment. We avail ourselves of third-party technologies and tools, including tools provided by the Cybersecurity and Infrastructure Security Agency (CISA), other government agencies and third-party cybersecurity experts. In December 2024, we completed the Palisades Acquisition and have aligned all new employees acquired through such acquisition with our cybersecurity training and governance framework, including the Incident Response Team, which now includes legacy Palisades employees. We are conducting comprehensive risk assessments to identify additional steps that may be necessary to fully align the legacy Palisades information systems and cyber security practices with our systems and practices. To date, no risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected us, or, to our knowledge are reasonably likely to materially affect us including our business strategy, results of operations or financial condition. For further discussion, please see the risk factor titled “We are dependent on information technology and systems, including those of third parties, and their failure, including through a cyber-attack, could significantly disrupt our business or result in the disclosure or misuse of confidential or other information, including personal information, which could damage our reputation, result in regulatory sanctions, subject us to litigation and/or increase our costs and cause losses that have a material adverse impact on our business, financial results and financial condition” in Item 1A. “Risk Factors” in this Annual Report on Form 10-K. Governance Our Board of Directors, in coordination with the Audit Committee and the Risk Committee, oversees management of cybersecurity risk. They receive regular reports from senior management and our CISO on, among other things, the threat landscape, the Company’s cybersecurity program, infrastructure improvements, cybersecurity incident investigations and information security vulnerabilities. The Audit Committee focuses on cybersecurity risk, particularly as it relates to enterprise risk management within the audit and financial reporting process, while the Risk Committee focuses on cybersecurity risk within the Company’s overall business risk profile. Refer to Item 7A, “Quantitative or Qualitative Disclosures about Market Risk - Risk Management” included in this 2024 Form 10-K for additional information on our enterprise risk management. The Company’s CISO has a Bachelor of Engineering degree in information technology and more than 25 years of experience in the information technology space, including extensive experience leading our internal IT infrastructure and cybersecurity team. The CISO receives regular updates on cybersecurity matters from his internal IT infrastructure and cybersecurity team as well as outside vendors and advisors that we have engaged. Employees outside of the IT infrastructure and cybersecurity team also elevate any potential cybersecurity issues, whether internal or at a third party with whom we do business, to the CISO. The Incident Response Team and the non-management employees who support the Incident Response Team identify, assess, respond to and coordinate both internal and third-party resources in the event of a cybersecurity incident. In the event of a potentially material cybersecurity event, all members of the Incident Response Team are notified and a preliminary assessment of the situation is made. Designated individuals within the Incident Response Team notify the Chief Executive Officer, and if the situation so warrants, the Board of Directors, cybersecurity experts, outside counsel and other advisors to help further assess and formulate an appropriate response to the situation and regulatory and other government authorities as applicable and as required by law.

Company Information