NewtekOne, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

NewtekOne, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 08:41:50 EDT.

Filings

10-K filed on 2025-03-17

NewtekOne, Inc. filed a 10-K at 2025-03-17 08:41:50 EDT
Accession Number: 0001587987-25-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy NewtekOne maintains a Risk Management framework to identify, measure, mitigate, monitor and report material risks to the Risk Committee of our Board. Our Risk Management process includes participation by our senior management and employees across NewtekOne and its consolidated subsidiaries and is overseen by our Chief Risk Officer who reports to the Risk Committee and our CEO. The Risk Committee sets the risk appetite across NewtekOne while the executive leadership team and our associates identify and monitor current and emerging risks and manage those risks within our risk appetite. Cybersecurity has been identified among the material risks in our business and the following approach has been developed to address cybersecurity. We and NTS, and NTS’s successor, IPM, which manages our IT infrastructure and cybersecurity under the direction of our CTO, have developed an enterprise-wide cybersecurity risk management system and strategy to safeguard our assets and operations, including the protection of the confidentiality of nonpublic, sensitive personal and business information and the integrity and security of our information systems , as follows: Assessment, Identification, and Management of Material Risks: 1. Comprehensive Risk Assessments: We conduct regular and comprehensive assessments to identify potential cybersecurity risks to our organization. These assessments encompass internal systems, networks, applications, and data repositories, as well as external threats and vulnerabilities within the broader digital ecosystem. 2. Threat Intelligence Monitoring: We continuously monitor threat intelligence sources to stay abreast of emerging cyber threats and trends. This proactive approach enables us to anticipate potential risks and take preemptive measures to mitigate them. 3. Risk Prioritization: Following the assessment phase, we prioritize identified risks based on their potential impact on our operations, data integrity, confidentiality, and reputation. This risk-based approach allows us to allocate resources effectively and focus on addressing the most significant threats first. 4. Mitigation Strategies: We develop and implement robust mitigation strategies tailored to address specific cybersecurity risks. These strategies may include the deployment of technical controls, such as firewalls, intrusion detection systems, and encryption protocols, as well as the implementation of policies, procedures, and employee training programs to promote cybersecurity awareness and adherence to best practices. Integration into Overall Risk Management System: Our cybersecurity risk management processes are fully integrated into our overall risk management system and corporate governance framework. This integration ensures that cybersecurity considerations are embedded within our strategic decision-making processes and are aligned with our broader business objectives. By integrating cybersecurity into our overall risk management system, we promote a comprehensive approach to risk mitigation and resilience-building across the organization. Engagement of Assessors, Consultants, and Auditors: 1. Internal Expertise: Our CTO is responsible for overseeing the Company’s IT infrastructure and cybersecurity and reports to our executive management team and the Technology Steering Committee of our Board. 2. External Expertise: We recognize the value of external expertise in assessing and enhancing our cybersecurity posture. Historically, the Company’s subsidiary NTS and its team of professionals, including NTS’ Chief Information Security Officer (“CISO”), who currently serves as our CISO, and CTO, and their team of professionals, have managed the Company’s IT infrastructure, including our dedicated server hosting, managed cybersecurity, backup and disaster recovery, and other related services. As of the January 2, 2025, close of our divestiture of NTS to IPM, we and IPM entered into a Master Services Agreement pursuant to which IPM provides us with the same services NTS provided to the Company prior to the divestiture. Our CTO is responsible for overseeing IPM’s provision of the managed technology services, including cybersecurity, to NewtekOne. In addition, we engage assessors, consultants, auditors, and other third-party experts with specialized knowledge in cybersecurity. These external stakeholders conduct independent assessments, penetration testing, vulnerability scans, and audits to evaluate the effectiveness of our cybersecurity controls and identify areas for improvement. 3. Continuous Improvement: The insights and recommendations provided by external assessors and consultants inform our ongoing efforts to strengthen our cybersecurity defenses. We prioritize the implementation of their recommendations, ensuring that our cybersecurity measures remain robust and adaptive to evolving threats. Oversight of Third-Party Service Providers: Our management is actively engaged in overseeing our third-party service providers. Our Enterprise Third Party Risk Management (TPRM) Policy establishes requirements and practices used to oversee and manage the activities of third parties with whom we have a relationship, under which we identify, measure, monitor, and manage third-party risk (including information cybersecurity risks) in alignment with our strategic objectives and in compliance with applicable law. Any identified threats, vulnerabilities, or cybersecurity incidents are addressed as appropriate through our CTO, CISO and IPM. Governance Our Board oversees material risks facing the Company. For some categories of risk, the Board has empowered committees to provide more focused oversight. In the case of cybersecurity and technology risk, in 2024 the Board formed the Technology Steering Committee which has that responsibility. The Technology Steering Committee is informed of risks from cybersecurity threats through regular reports from the Company’s management, including our CTO. Our CTO and the CISO, who is employed by IPM, oversee our cybersecurity risk management program. The CISO is chiefly responsible for developing, maintaining, and enforcing cybersecurity and cyber risk-related policies; ensuring the Company and its subsidiaries satisfy requirements of relevant regulations, industry standards, and third-party risk assessment requirements; keeping abreast of developing security threats, and helping both the Board and the Technology Steering Committee understand potential security problems that might arise from the changing threat landscape; and overseeing and implementing regular security awareness training of all employees on cybersecurity, and supporting effective communication with users to limit security vulnerabilities. The CISO regularly reports to our CTO who reports to the Technology Steering Committee on a quarterly and more frequently as needed, on the state of our cybersecurity risk management program and provides updates on cybersecurity matters. The Technology Steering Committee also receives regular reports on how management identifies, assesses, and manages cybersecurity and broader technology risks. The Technology Steering Committee reviews these reports and discusses them with management. The Technology Steering Committee reports to the full Board on key aspects of management’s presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Technology Steering Committee. While our Board and Technology Steering Committee oversee cybersecurity and technology risk, our senior leadership is responsible for identifying, assessing, and managing our exposure to risks from cybersecurity threats. Accountability of our cybersecurity program is housed within IPM, with oversight by our CTO. Reporting to our CTO is the CISO, the individual who provides day-to-day oversight of our cybersecurity program. Our CISO is responsible for assessing and managing material risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees a team that regularly communicates with respect to the prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The CISO’s team consists of individuals that have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the CTO, who coordinates with the Company’s and our subsidiaries’ executive officers relating to potentially material cybersecurity incidents and regularly discusses with the Technology Steering Committee the effectiveness of the Company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks. Our CISO is a Certified Information System Security Professional (CISSP) with decades of experience with technology in security, architecture, infrastructure and support in the financial, education, healthcare and verticals. He is a results driven leader who has managed multimillion dollar projects and solutions to successful completion. Our CTO has over 25 years of experience in enterprise technology solutions, with expertise in managed services, private cloud, service operations, and security. He is committed to driving reliability of services while prioritizing robust security measures.

Company Information