NEW YORK MORTGAGE TRUST, INC. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

NEW YORK MORTGAGE TRUST, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:57:57 EST.

Filings

10-K filed on 2025-02-21

NEW YORK MORTGAGE TRUST, INC. filed a 10-K at 2025-02-21 16:57:57 EST
Accession Number: 0001273685-25-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We, together with our third-party vendors, employ information technology including networks, systems, and applications to support our business and decision-making across the Company, including supporting the flow of information across our business processes. Our information technology infrastructure is susceptible to cybersecurity threats. We monitor our information technology systems, including through the use of information security procedures and risk management systems, and implement initiatives aimed at improving our cybersecurity measures. Our process for assessing, identifying, managing and addressing information security risks include: - Internalization of Information Security Management . We have internalized our information security oversight by hiring a full time Head of Information Technology that has over 20 years of experience in managing information technology and guiding organizations through technology strategy, cybersecurity risk mitigation, information technology process improvement initiatives and digital transformations. He also possesses relevant experience in improving a company’s cybersecurity posture and data privacy policies. He holds a Bachelor of Science degree in Information Systems and oversees all of our information security initiatives, assesses cybersecurity risks, provides cybersecurity plans, identifies opportunities for the implementation of additional cybersecurity measures and provides cybersecurity training to our employees and executives. - Third-Party Consultant. We engage a third-party information security consultant to assist in managing our risk posture. This consultant conducts periodic tests and analyses of our defensive and detective information security controls, including annual penetration tests and risk assessments as well as regular vulnerability scans and assessments. The consultant also provides live, interactive annual information security training to our employees and executive officers and monitors the effectiveness of such training through quarterly phishing campaigns. The consultant also assists us in managing cybersecurity risks associated with third-party service providers by administering a due diligence questionnaire for the Company’s third-party service providers that includes a cybersecurity risk assessment and provides guidance for remediation of security gaps. - Current Plans and Procedures . The Company has implemented and maintains an incident response plan (“IRP”) and a Business Continuity Plan (“BCP”). The IRP establishes the organization, actions and procedures for recognizing and responding to information security incidents; assessing incidents; notifying the appropriate individuals, regulators or organizations about any incident; organizing the Company’s response activities; escalating the Company’s response efforts to named executive officers and the Board of Directors based on the severity of the incident; and supporting the business recovery efforts made in the aftermath of any incident. The IRP is designed to minimize the operational and financial impacts of an information security incident and is designed to be activated when a local incident responder determines that an incident has occurred. Similarly, our BCP provides details on information security incident response and subsequent business recovery actions. - Risk Identification and Mitigation. The Company aims to identify and mitigate information security risks by using the National Institute of Standards and Technology Cybersecurity Framework (the “NIST Framework”) as a guide to help us identify and mitigate information security risks relevant to our business. The Company seeks to identify potential risks through various software programs which perform asset and patch management; monitor desktops, laptops and servers; map networks and inventories; and audit file servers. The Company aims to protect itself from potential risks through the implementation of software programs which provide protective measures such as single sign-on, multi-factor identification, content filtering, disk encryption, regular patches and inside threat protection. The Company has implemented a suite of software programs to detect information security events, plans to respond to information security events in accordance with the IRP and BCP, and aims to take proactive steps to recover from information security events through its Disaster Recovery Plan (“DRP”). The DRP prioritizes the swift recovery of information technology systems, data, and infrastructure and the efficient restoration of servers and applications to their normal operational state in the event of a significant disaster. - Insurance . We maintain a breach response insurance policy. - Enterprise Risk Assessment . The Company completes an annual enterprise risk assessment that includes cybersecurity risks and mitigants. The results of the enterprise risk assessment are shared with the Board of Directors on an annual basis. - Implemented Programs for a Hybrid Work Environment. We have implemented initiatives relating to mobile device management, cloud storage services, endpoint protection, and identity and access management. For example, we have implemented a service that focuses on mobile device management and mobile application management, as well as data classification and file server data loss protection measures. We have further implemented endpoint protection and endpoint detection and response which provides visibility that is designed to identify unauthorized systems and applications. - Ongoing Monitoring . Our information security procedures are designed to evolve as information security risks and considerations change over time. Our Board of Directors exercises oversight of information security risk primarily through the Audit Committee. T he Head of Information Technology provides information security updates to named executive officers and briefs our Board of Directors and Audit Committee on relevant information security issues on a quarterly basis. We also make available periodic cybersecurity training for members of our Board of Directors. As of the date of this Report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving and the possibility of future cybersecurity incidents remains. Despite the implementation of our security measures, we cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences for our business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. For further discussion, please see the risk factors titled “Maintaining cybersecurity and data security is important to our business and a breach of our cybersecurity or data security could result in serious harm to our reputation and have a material adverse impact on our business and financial results” and “We are highly dependent on information and communication systems and system failures and other operational disruptions could significantly disrupt our business, which may, in turn, materially adversely affect our business, financial condition and results of operations and our ability to make distributions to our stockholders” in Part I, Item “1A. Risk Factors” in this Annual Report on Form 10-K.

Company Information