XML 49 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Cybersecurity is part of our enterprise-wide risk management framework. Processes for assessing, identifying and managing cybersecurity risks include cybersecurity risk assessments, use of key risk indicators, vendor cybersecurity risk management, employee training, including phishing exercises and cybersecurity awareness training, penetration testing, evaluation of cybersecurity insurance and periodic engagements by our internal audit department, which determines whether our cybersecurity program and information security practices align with relevant parts of the National Institute of Standards and Technology (“NIST”) framework. We periodically engage penetration testing companies and law firms to assist in these processes. When we do so, we hire reputable companies, limit their access to only information necessary for the specific purpose and maintain security controls around confidential information, including personal information. We also maintain a Cybersecurity Incident Response Plan (“Response Plan”) with processes to identify, contain, mitigate and escalate cybersecurity incidents, utilizing cross-functional expertise and external resources as needed. We conduct periodic tabletop exercises to test our Response Plan and our reaction to various business disruption events, and the results of these tabletop exercises are reported to the Cybersecurity Committee and the ERC.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The Cybersecurity Committee has primary responsibility for these processes to manage cybersecurity risks, under the oversight of the ERC. Daily monitoring of cybersecurity defenses is performed by the IT Infrastructure Team and any issues are escalated to the Cybersecurity Committee as needed. The Cybersecurity Committee regularly meets to discuss both routine oversight of cybersecurity processes, policies and procedures and management of any cyber-specific events, including escalation to the ERC, the executive leadership team and/or the Board, as appropriate.
The Cybersecurity Committee includes representatives from Operational Risk Management, Information Technology, Legal, Mortgage Operations and Internal Controls. Certain members of the Cybersecurity Committee have relevant qualifications such as extensive work experience implementing data security measures, developing cybersecurity policies and procedures and assessing, managing and reporting cybersecurity risk. Members also participate in cybersecurity-related professional organizations that discuss industry threats, challenges and solutions to cybersecurity issues. Our Head of IT Infrastructure has completed the “Cybersecurity: Managing Risk in the Information Age” certificate program from Harvard University.
The Cybersecurity Committee regularly discusses cybersecurity risk management and best practices with the ERC and with the Audit and Risk Committees of our Board. The Audit and Risk Committees jointly oversee processes, practices and policies related to cybersecurity and receive joint and individual presentations from management and external experts on cyber technology-related risks. Two members of our Board have completed the Carnegie Mellon/NACD Cyber-Risk Oversight Program and earned the CERT Certificate in Cybersecurity Oversight and one member of our Board has completed the NACD Master Class: Cyber-Risk Oversight Program.
To date, we have not detected any risks from cybersecurity threats that have materially affected us. However, even though we take steps to employ reasonable cybersecurity defenses, not every cybersecurity incident can be prevented or detected. We also may be held responsible for cybersecurity threats affecting our third party service providers, including servicers and sub-servicers, some of whom have reported breaches in the past. Therefore, while we are not aware of any cybersecurity threats or
incidents that are reasonably likely to have a material effect on our business strategy, results of operations or financial condition, the likelihood and severity of such risks are difficult to predict. For further discussion, please see the risk factors titled “We are highly dependent on information systems and networks, many of which are operated by third parties” and “Cyberattacks or other information security breaches of our Company's, service providers' or counterparties' systems or networks affect our business, reputation and financial condition” in Part I, Item 1A. “Risk Factors” in this Annual Report on Form 10-K.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Cybersecurity Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The Cybersecurity Committee regularly discusses cybersecurity risk management and best practices with the ERC and with the Audit and Risk Committees of our Board. The Audit and Risk Committees jointly oversee processes, practices and policies related to cybersecurity and receive joint and individual presentations from management and external experts on cyber technology-related risks. Two members of our Board have completed the Carnegie Mellon/NACD Cyber-Risk Oversight Program and earned the CERT Certificate in Cybersecurity Oversight and one member of our Board has completed the NACD Master Class: Cyber-Risk Oversight Program.
Cybersecurity Risk Role of Management [Text Block] The Cybersecurity Committee includes representatives from Operational Risk Management, Information Technology, Legal, Mortgage Operations and Internal Controls. Certain members of the Cybersecurity Committee have relevant qualifications such as extensive work experience implementing data security measures, developing cybersecurity policies and procedures and assessing, managing and reporting cybersecurity risk. Members also participate in cybersecurity-related professional organizations that discuss industry threats, challenges and solutions to cybersecurity issues.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
The Cybersecurity Committee has primary responsibility for these processes to manage cybersecurity risks, under the oversight of the ERC. Daily monitoring of cybersecurity defenses is performed by the IT Infrastructure Team and any issues are escalated to the Cybersecurity Committee as needed. The Cybersecurity Committee regularly meets to discuss both routine oversight of cybersecurity processes, policies and procedures and management of any cyber-specific events, including escalation to the ERC, the executive leadership team and/or the Board, as appropriate.
The Cybersecurity Committee includes representatives from Operational Risk Management, Information Technology, Legal, Mortgage Operations and Internal Controls. Certain members of the Cybersecurity Committee have relevant qualifications such as extensive work experience implementing data security measures, developing cybersecurity policies and procedures and assessing, managing and reporting cybersecurity risk. Members also participate in cybersecurity-related professional organizations that discuss industry threats, challenges and solutions to cybersecurity issues. Our Head of IT Infrastructure has completed the “Cybersecurity: Managing Risk in the Information Age” certificate program from Harvard University.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Certain members of the Cybersecurity Committee have relevant qualifications such as extensive work experience implementing data security measures, developing cybersecurity policies and procedures and assessing, managing and reporting cybersecurity risk. Members also participate in cybersecurity-related professional organizations that discuss industry threats, challenges and solutions to cybersecurity issues. Our Head of IT Infrastructure has completed the “Cybersecurity: Managing Risk in the Information Age” certificate program from Harvard University.
The Cybersecurity Committee regularly discusses cybersecurity risk management and best practices with the ERC and with the Audit and Risk Committees of our Board. The Audit and Risk Committees jointly oversee processes, practices and policies related to cybersecurity and receive joint and individual presentations from management and external experts on cyber technology-related risks. Two members of our Board have completed the Carnegie Mellon/NACD Cyber-Risk Oversight Program and earned the CERT Certificate in Cybersecurity Oversight and one member of our Board has completed the NACD Master Class: Cyber-Risk Oversight Program.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Cybersecurity Committee has primary responsibility for these processes to manage cybersecurity risks, under the oversight of the ERC. Daily monitoring of cybersecurity defenses is performed by the IT Infrastructure Team and any issues are escalated to the Cybersecurity Committee as needed. The Cybersecurity Committee regularly meets to discuss both routine oversight of cybersecurity processes, policies and procedures and management of any cyber-specific events, including escalation to the ERC, the executive leadership team and/or the Board, as appropriate.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true