ALTISOURCE PORTFOLIO SOLUTIONS S.A. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

ALTISOURCE PORTFOLIO SOLUTIONS S.A. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 10:33:20 EDT.

Filings

10-K filed on 2025-03-31

ALTISOURCE PORTFOLIO SOLUTIONS S.A. filed a 10-K at 2025-03-31 10:33:20 EDT
Accession Number: 0001462418-25-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Board of Directors is responsible for the Company’s risk management strategy and overseeing the Company’s risk management program, of which cybersecurity is a critical element. The Chief Strategy and Technology Officer (“CSTO”) and the Chief Information Security Officer (“CISO”) are responsible for designing, implementing and administering the Company’s cybersecurity risk management policies, processes and practices, business continuity planning and disaster recovery functions and activities. The CSTO and CISO meet on a quarterly basis with other members of Management as the Technology and Information Security Committee (“TIS Committee”) to review the Company’s cybersecurity risk management, business continuity planning and disaster recovery strategy and performance. The Company’s cybersecurity policies, standards, processes, and practices are generally based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), applicable industry standards, and applicable data privacy and cybersecurity regulations. Annual technology and cybersecurity risk assessments are conducted to identify and evaluate applicable risks and controls designed to address such risks. In general, the Company seeks to identify, assess and manage material cybersecurity risks through a company-wide approach addressing the confidentiality, integrity, and availability of the Company’s information systems and the information that the Company collects and processes. Cybersecurity Risk Management and Strategy The Company’s cybersecurity risk management strategy focuses on several areas: - Identification and Reporting: The Company strives to have controls and procedures designed to identify, assess, manage and respond to cybersecurity threats and incidents, including fulfilling potential public disclosure or reporting requirements as may be applicable. - Technical Safeguards: The Company strives to implement and maintain technical safeguards designed to protect the Company’s information systems and data from cybersecurity threats, including perimeter and web application firewalls, proxy, intrusion prevention and detection systems, anti-malware, endpoint detection response functionality, data loss prevention systems, security incident event management, geo-blocking and access controls. Such safeguards are generally evaluated through internal security testing, third party penetration testing and vulnerability assessments, as well as outside audits and certifications, and revised as warranted. The Company seeks to comply with the cybersecurity framework guidelines issued by the NIST and ISO. - Education and Awareness: The Company provides periodic, mandatory training for all levels of employees regarding information security, cybersecurity threats, business continuity planning and disaster recovery in an effort to equip Company employees with tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. - Incident Response and Recovery Planning: The Company’s Security Operations Center (“SOC”), reporting to the CISO, strives to provide 24x7 incident monitoring. If an incident occurs which SOC determines qualifies as a “critical risk” according to predetermined criteria, Company policy requires the SOC to engage an incident management team to assist with evaluating, responding to and managing the response of the incident. The Company has established and seeks to maintain comprehensive incident identification, containment, response and business continuity plans designed to respond to potential cybersecurity incidents. The Company strives to conduct periodic drills and tabletop exercises to test these. - Third-Party Risk Management: The Company strives to conduct initial and periodic risk evaluations of vendors meeting predefined criteria for heightened cybersecurity risk, based on their access to or provision of critical information systems or data. The Company strives to conduct periodic assessments of the Company’s policies, standards, processes and practices. Summary results of such assessments are evaluated by the CISO to assist the Company in adjusting its cybersecurity policies, standards, processes and practices; the CISO reviews critical results with the TIS Committee. Governance The Board of Directors oversees the Company’s risk management program, including the management of cybersecurity threats. The Board of Directors receives regular reports from the CTSO on cybersecurity threats and the Company’s mitigation strategies. The TIS Committee provides Management oversight of the Company’s cybersecurity risk management, business continuity planning and disaster recovery strategy and performance. To facilitate the success of the Company’s cybersecurity program, cross-functional teams work with the CISO and SOC seek to address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and Management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Board of Directors, as appropriate. The CISO has served in various roles in information technology, information security, and business continuity for over 20 years. The CISO holds undergraduate and graduate degrees in Information Systems Management and has attained the professional certification of Certified Information Security Manager from the Information Systems Audit and Control Association. Material Effects of Cybersecurity Incidents Past cybersecurity incidents have not had, and are not reasonably expected to have, a material impact on the Company’s business strategy, operations, or financial condition.

Company Information