AG Mortgage Investment Trust, Inc. 10-K Cybersecurity GRC - 2025-03-04

Page last updated on March 4, 2025

AG Mortgage Investment Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-04 17:17:09 EST.

Filings

10-K filed on 2025-03-04

AG Mortgage Investment Trust, Inc. filed a 10-K at 2025-03-04 17:17:09 EST
Accession Number: 0001514281-25-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company’s business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of TPG, a leading global alternative asset management firm. We, in conjunction with our Manager and its affiliates, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. These processes include assessments of internal and external threats to the confidentiality, integrity and availability of the Company’s data and systems along with other material risks to its operations. These risk assessments inform our cybersecurity program and the continued development of a layered set of controls aimed at preventing, detecting, and responding to threats. TPG’s administrative, organizational, technical and physical security controls include, but are not limited to, policies and procedures, system hardening vulnerability scanning, and patching, employee training and awareness, third-party risk management processes, backup and recovery processes, access controls, data encryption in transit and at rest, network perimeter controls, and identity verification. TPG also has policies and controls in place designed to detect and respond to cybersecurity events, including an incident response plan, an incident response team with dedicated roles and responsibilities for assessing and responding to a cybersecurity event, system logging and ongoing monitoring, and periodic training exercises simulating cybersecurity events that are designed to raise awareness and test the team’s response readiness capabilities. T he nature, scope and effectiveness of these controls are regularly reviewed through a series of internal and external processes. TPG’s cybersecurity team itself performs both automated monitoring on a continuous basis and manual reviews of key controls. TPG has informed us that it also conducts annual assessments of our cybersecurity program using industry standard cybersecurity frameworks, such as the NIST Cybersecurity Framework, as benchmarks to perform its evaluation. This does not imply that TPG, its affiliates or we fully meet any particular industry standards, specifications, or requirements. In addition, independent reviews of our cybersecurity control effectiveness are conducted by TPG’s internal audit team on a periodic basis. We also engage external providers to conduct periodic external assessments , including penetration testing. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk Factors” in this Annual Report on Form 10-K, including “Risks Related to our Company, Business, and Operations- Cybersecurity risks may cause a disruption to our operations, a compromise or corruption of our confidential information, and/or damage to our business relationships, all of which could negatively impact our business. “, for additional discussion about cybersecurity-related risks. Governance Our Board of Directors holds oversight responsibility over the Company’s strategy and risk management, including material risks related to cybersecurity threats. This oversight is executed directly by the Board of Directors and through its committees. The Board regularly engages in discussions with management regarding the Company’s risk assessment and risk management policies. In addition, the Audit Committee of our Board of Directors (the “Audit Committee”) oversees the management of systemic risks, including cybersecurity, in accordance with its charter. The Audit Committee engages in regular 47 discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks. Our Board of Directors, including the Audit Committee, is briefed on our Manager’s information security program and cybersecurity risks at least once each year and as needed in connection with any potentially material cybersecurity incidents. The Chief Information Security Officer reports at least annually to our Board of Directors , including the Audit Committee, and such report may address overall assessment of the Company’s compliance with this and other cybersecurity policies, including topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. As an externally managed company, we rely on our Manager and its affiliates’ information systems in connection with our day-to-day operations. Consequently, we also rely on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by TPG. TPG has established an Enterprise Risk Committee (“ERC”) to manage overall risk across the organization including cybersecurity risks identified by TPG’s cybersecurity team; the ERC includes representatives from relevant functions and is led by TPG’s Chief Executive Officer. TPG has also established an Operational Risk Committee (“ORC”) which is responsible for applying the policy decisions of the ERC. Operational responsibility for ensuring the adequacy and effectiveness of our Manager’s risk management, control and governance processes is assigned to TPG’s Chief Information Security Officer (“CISO”), who periodically reports, among other things, potentially material cybersecurity incidents to the ORC and reports to the ERC at least annually. TPG’s cybersecurity team also regularly coordinates with other key stakeholders within the organization, including compliance, human resources, internal audit and legal. The CISO leads TPG’s cybersecurity team, which is responsible for implementing, maintaining and enforcing our cybersecurity program. TPG’s CISO previously held various leadership roles within the Technology Risk department of one of the world’s largest banking institutions over a 17-year period. TPG has informed us that the CISO holds a Bachelor of Science in Electrical Engineering and Mathematics from the University of Texas at Arlington and is a Certified Information Systems Security Professional (CISSP). TPG’s cybersecurity team possesses a variety of cybersecurity skill sets and extensive expertise obtained through decades of experience, numerous industry certifications, and advanced degrees. TPG’s cybersecurity team continues to take steps to maintain up-to-date knowledge of evolving cybersecurity threats and countermeasures.

Company Information