|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Ellington's Risk Management and Strategy
Ellington’s cybersecurity program is focused on the following key areas:
•Governance: As discussed in more detail below under "Governance," our Board of Directors' oversight of cybersecurity risk management is supported by the Audit Committee of our Board of Directors (the "Audit Committee"), which regularly interacts with our management team and other professionals who are responsible for assessing and managing material risks from cybersecurity threats at Ellington.
•Collaborative Approach: Ellington has implemented a cross-functional approach to identifying and evaluating, preventing, mitigating and remediating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents. Such escalation allows Ellington to make timely decisions regarding its response to such incidents and whether disclosure to senior management, our Audit Committee and/or the public is appropriate.
•Technical Safeguards: Ellington deploys technical safeguards that are designed to protect information systems from cybersecurity threats. These systems cover many facets of cyber security including identity protection, anti-virus and anti-malware defense, data loss prevention, endpoint protection (including managed detection and response services), patch and vulnerability management and others. Ellington regularly evaluates new technologies as the cyber security landscape evolves.
•Incident Response and Recovery Planning: Ellington has established and maintains incident response and recovery plans that we believe properly address the response to a cybersecurity incident or other business disruption. To the extent feasible, such plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: Ellington follows a risk-based approach to identifying and overseeing cybersecurity risks presented by third-parties, including vendors, service providers and other external users of Ellington’s systems, as well as the systems of third-parties that could adversely impact Ellington’s business in the event of a cybersecurity incident affecting their systems. Third-party service providers are regularly evaluated by Ellington to assess their cyber security posture and general information technology practices to determine if they are suitable partners; where applicable, relevant certifications are obtained such as SOC 2 or ISO 27001.
•Education and Awareness: Ellington: (i) provides regular, mandatory cyber security training to all personnel to equip them with tools to identify and address cybersecurity threats; (ii) communicates evolving information security policies, standards, processes and practices to employees via email; (iii) delivers additional training to all users who have access to personally identifiable information on Ellington’s processes for handling such information; and (iv) conducts regular, monthly phishing tests to assess user alertness, and retains a separate external cybersecurity vendor to conduct similar tests on an annual basis.
Ellington's technology team assesses the firm’s cybersecurity and infrastructure postures regularly with two separate working groups—one group, meeting weekly, focused on IT implementation and one group, meeting bi-weekly, focused on engineering integration. Both groups include senior members of the technology team. These meetings cover a broad range of topics including implementation planning for the deployment of new hardware and software, patch and vulnerability management, considerations for disaster recovery and business continuity, user access controls, data security and more. In such continued monitoring of its cybersecurity posture, Ellington conducts continuous deprecation of obsolete or unsuitable technology, including legacy hardware and software, has a robust patch and vulnerability management process, and has personnel dedicated to the continued monitoring of new developments in threat actors’ activities in order to take preventative actions.
Ellington also regularly engages third parties to perform assessments of Ellington’s cybersecurity posture, including penetration testing, user access control reviews and independent reviews of Ellington’s information security control environment, and operating effectiveness. The results of such assessments, tests and reviews are reported to the Audit Committee and our Board of Directors, and Ellington adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, tests and reviews, including the implementation of new software and technologies.
To date, no risks from cybersecurity threats to Ellington have materially affected or are reasonably likely to materially affect the Company. Cyber criminals do, however, target us, Ellington and Ellington’s employees and other third parties. Ongoing or future attacks such as these could have impacts on our or Ellington’s operations. For additional information on these ongoing risks, please refer to "Part 1. Item 1A. Risk Factors—We are highly dependent on Ellington's and Longbridge's information systems and those of third-party service providers, including mortgage servicers, and system failures could significantly disrupt our business, which could materially adversely affect our business, financial condition and results of operations, and our ability to pay dividends to our stockholders." and "—Because we are highly dependent on information systems when sharing information with third party service providers, systems failures, breaches or cyber-attacks could
significantly disrupt our business, which could have a material adverse effect on our results of operations and cash flows." While Ellington did experience two business email compromise incidents in recent years, neither had a material impact on our business strategy, results of operations or financial condition.
Longbridge's Risk Management and Strategy
Longbridge’s cybersecurity program is focused on the following key areas:
•Governance: As discussed in more detail below under "Governance,” our Board of Directors’ oversight of cybersecurity risk management is completed through the Audit Committee, which regularly interacts with both our and Longbridge's management teams who are responsible for assessing and managing material risks from cybersecurity threats at Longbridge.
•Collaborative Approach: Longbridge has implemented a cross-functional approach to identifying and evaluating, preventing, mitigating and remediating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents. Such escalation allows us to make decisions regarding its response to such incidents and whether disclosure to senior management, our Audit Committee and/or the public is appropriate.
•Technical Safeguards: Longbridge deploys technical safeguards that are designed to protect information systems from cybersecurity threats. These systems cover many facets of cyber security such as anti-virus and anti-malware defense, data loss prevention, endpoint protection (including managed detection and response services), patch and vulnerability management and others. Longbridge continuously evaluates new technologies as the cyber security landscape evolves.
•Incident Response and Recovery Planning: Longbridge has established and maintains incident response and recovery plans that we believe properly address the response to a cybersecurity incident or other business disruption. To the extent feasible such business disruption plans are tested and evaluated on a regular basis.
•Third-Party Risk Management: Longbridge maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of Longbridge’s systems, as well as the systems of third-parties that could adversely impact Longbridge’s business in the event of a cybersecurity incident affecting their systems. Third-party service providers are regularly evaluated by Longbridge to assess their cyber security posture and general information technology practices to determine if they are suitable partners; where applicable, relevant certifications are obtained such as SOC 2 or ISO 27001.
•Education and Awareness: Longbridge: (i) provides regular, mandatory cyber security training to all personnel to equip them with tools to identify and address cybersecurity threats; (ii) communicates evolving information security policies, standards, processes and practices to employees via a variety of communication methods; and (iii) conducts phishing tests to assess user alertness, and retains an external cybersecurity vendor to conduct similar tests on an annual basis.
Longbridge's technology team, and its operational risk management group, perform regular assessments of the firm’s cybersecurity and infrastructure posture. These reviews cover a broad range of topics including implementation planning for the deployment of new hardware and software, patch and vulnerability management, considerations for disaster recovery and business continuity, user access controls, data security and Longbridge’s threat monitoring services. In such continued maintenance of its cybersecurity posture, Longbridge conducts continuous deprecation of obsolete or unsuitable technology, including legacy hardware and software, has a robust patch and vulnerability management process, and has an external firm dedicated to the continued monitoring of new developments in threat actors’ activities in order to take preventative actions.
Longbridge also regularly engages third parties to perform assessments of its cybersecurity posture, including cyber risk assessments, penetration testing, user access control reviews and independent reviews of Longbridge’s information security control environment and operating effectiveness. The results of such assessments, tests and reviews are reported to our Audit Committee and Board of Directors, and Longbridge adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, tests and reviews, including the implementation of new software and technologies.
To date, no risks from cybersecurity threats from Longbridge have materially affected or are reasonably likely to materially affect our Company. Cyber criminals do, however, target us and Longbridge’s employees and other third parties. Ongoing or future attacks such as these could have impacts on our or Longbridge’s operations. For additional information on these ongoing risks, please refer to “Part 1. Item 1A. Risk Factors—We are highly dependent on Ellington's and Longbridge's information systems and those of third-party service providers, including mortgage servicers, and system failures could significantly disrupt our business, which could materially adversely affect our business, financial condition and results of operations, and our ability to pay dividends to our stockholders.” and “—Because we are highly dependent on information
systems when sharing information with third party service providers, systems failures, breaches or cyber-attacks could significantly disrupt our business, which could have a material adverse effect on our results of operations and cash flows.”
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Ellington’s cybersecurity processes and practices are integrated into Ellington’s risk management and oversight program. In general, Ellington seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Ellington collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur.
Longbridge’s cybersecurity processes and practices are integrated into Longbridge’s operational risk oversight program. In general, Longbridge also seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that Longbridge collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents when they occur. Longbridge had over 400 employees as of December 31, 2024.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Our Board of Directors, through the Audit Committee, oversees our cybersecurity risk management process. Our Audit Committee receives regular presentations and reports on cybersecurity risks at both Ellington and Longbridge, each of which addresses a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties.
Each of Ellington and Longbridge employ internal or external resources whose responsibilities include oversight of their respective firm’s cybersecurity posture.
Ellington's cybersecurity team is led by Ellington's Chief Technology Officer (the "CTO"), who is primarily responsible for assessing and managing material risks from cybersecurity threats to Ellington. The CTO has extensive experience in application development, database architecture, systems design, and third-party software integration. During his tenure at Ellington, the CTO led large technical efforts such as the development of Ellington's proprietary internally hosted rapid application system and the overhaul of Ellington’s engineering infrastructure and development services. The CTO works closely with Ellington’s head of Data Platform and Infrastructure (the "DPI Head") to manage Ellington’s infrastructure and cybersecurity posture. During his tenure at Ellington, the DPI Head has led several critical efforts such as the revitalization of Ellington’s hardware, networking and disaster recovery facilities, major improvements to Ellington’s cybersecurity infrastructure, and the development and maintenance of Ellington’s Data Engineering infrastructure. Ellington’s Senior Systems Administrator (the "SSA") works closely with both the CTO and the DPI Head to implement Ellington’s cybersecurity program and infrastructure. The SSA is responsible for all systems and telecommunication design and implementation, with a focus on cybersecurity. The SSA ensures that Ellington's systems are secure and resilient against cyber threats. Prior to joining Ellington in 1997, the SSA was a Senior PC Technical Support at Bear Stearns for seven years. The CTO, after consultation with others, including the DPI Head and the SSA, regularly provides an assessment of Ellington’s cybersecurity posture and reviews Ellington’s information technology roadmap with the Audit Committee. The CTO's reports cover a range of topics including, at various times, a discussion of the primary cybersecurity risks facing Ellington, an overview of Ellington’s cybersecurity program, common attack vectors and types, the primary functions of Ellington’s cybersecurity program, how Ellington’s cybersecurity programs are applied to critical cybersecurity areas, any recent cybersecurity incidents, Ellington’s ongoing focus areas in its cybersecurity program, Ellington’s employee education program, management of patches and system vulnerabilities, various threat detection methods, malicious activity monitoring, any new cybersecurity focus areas for Ellington, a review of Ellington’s key technologies, Ellington’s incident response procedures and Ellington’s backup systems and redundancy and disaster recovery processes.
Longbridge's cybersecurity risk management and strategy is co-led by its Chief Operating Officer ("COO") and its Vice President of Information Technology ("VP of IT"). Longbridge's COO has extensive leadership experience with enterprise information technology in the mortgage banking industry, where he has held various executive roles, including Chief Privacy Officer and Chief Information Officer. Longbridge's COO has developed and executed IT strategy, including cybersecurity programs, and helped achieve and maintain Sarbanes-Oxley compliance and SOC-2 certification. Longbridge's VP of IT has extensive leadership experience with enterprise information technology, both in the banking and manufacturing industries. She has also developed and executed IT strategy, including cybersecurity programs and helped achieve and maintain Sarbanes-Oxley compliance. Longbridge's COO, accompanied by its VP of IT, regularly discusses Longbridge’s cybersecurity risks and posture, and its information technology roadmap, with the Audit Committee. In these reviews, Longbridge's COO informs the Audit Committee of what Longbridge believes are the key focus items of Longbridge in its cybersecurity program and the COO and VP of IT provide an overview of their views of emerging threats, and any significant cyber response activities or incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors, through the Audit Committee, oversees our cybersecurity risk management process.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Audit Committee receives regular presentations and reports on cybersecurity risks at both Ellington and Longbridge, each of which addresses a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties.The CTO, after consultation with others, including the DPI Head and the SSA, regularly provides an assessment of Ellington’s cybersecurity posture and reviews Ellington’s information technology roadmap with the Audit Committee. The CTO's reports cover a range of topics including, at various times, a discussion of the primary cybersecurity risks facing Ellington, an overview of Ellington’s cybersecurity program, common attack vectors and types, the primary functions of Ellington’s cybersecurity program, how Ellington’s cybersecurity programs are applied to critical cybersecurity areas, any recent cybersecurity incidents, Ellington’s ongoing focus areas in its cybersecurity program, Ellington’s employee education program, management of patches and system vulnerabilities, various threat detection methods, malicious activity monitoring, any new cybersecurity focus areas for Ellington, a review of Ellington’s key technologies, Ellington’s incident response procedures and Ellington’s backup systems and redundancy and disaster recovery processes.
|Cybersecurity Risk Role of Management [Text Block]
|Ellington’s Senior Systems Administrator (the "SSA") works closely with both the CTO and the DPI Head to implement Ellington’s cybersecurity program and infrastructure. The SSA is responsible for all systems and telecommunication design and implementation, with a focus on cybersecurity. The SSA ensures that Ellington's systems are secure and resilient against cyber threats.
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Ellington's cybersecurity team is led by Ellington's Chief Technology Officer (the "CTO"), who is primarily responsible for assessing and managing material risks from cybersecurity threats to Ellington.Longbridge's cybersecurity risk management and strategy is co-led by its Chief Operating Officer ("COO") and its Vice President of Information Technology ("VP of IT").
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CTO has extensive experience in application development, database architecture, systems design, and third-party software integration. During his tenure at Ellington, the CTO led large technical efforts such as the development of Ellington's proprietary internally hosted rapid application system and the overhaul of Ellington’s engineering infrastructure and development services. The CTO works closely with Ellington’s head of Data Platform and Infrastructure (the "DPI Head") to manage Ellington’s infrastructure and cybersecurity posture. During his tenure at Ellington, the DPI Head has led several critical efforts such as the revitalization of Ellington’s hardware, networking and disaster recovery facilities, major improvements to Ellington’s cybersecurity infrastructure, and the development and maintenance of Ellington’s Data Engineering infrastructure. Longbridge's COO has extensive leadership experience with enterprise information technology in the mortgage banking industry, where he has held various executive roles, including Chief Privacy Officer and Chief Information Officer. Longbridge's COO has developed and executed IT strategy, including cybersecurity programs, and helped achieve and maintain Sarbanes-Oxley compliance and SOC-2 certification. Longbridge's VP of IT has extensive leadership experience with enterprise information technology, both in the banking and manufacturing industries. She has also developed and executed IT strategy, including cybersecurity programs and helped achieve and maintain Sarbanes-Oxley compliance.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef