Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.

Our cybersecurity risk management program is guided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

Key elements of our cybersecurity risk management program include, but are not limited to, the following:

●

risk metrics and self-assessments designed to help identify cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;

●

a security team principally responsible for managing: (1) our cybersecurity risk assessment processes, (2) our cybersecurity controls and processes, and (3) our response to cybersecurity incidents;

●

the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity controls and processes;

●

periodic required cybersecurity awareness training of our employees;

●

a Technology & Information Risk Committee, comprised of technology and business leaders, that provides risk advisory and general guidance regarding new and modified information security controls;

●

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and

●

a third-party risk management process for key service providers, suppliers, and vendors.

Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

Key elements of our cybersecurity risk management program include, but are not limited to, the following:

●

risk metrics and self-assessments designed to help identify cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;

●

a security team principally responsible for managing: (1) our cybersecurity risk assessment processes, (2) our cybersecurity controls and processes, and (3) our response to cybersecurity incidents;

●

the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity controls and processes;

●

periodic required cybersecurity awareness training of our employees;

●

a Technology & Information Risk Committee, comprised of technology and business leaders, that provides risk advisory and general guidance regarding new and modified information security controls;

●

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and

●

a third-party risk management process for key service providers, suppliers, and vendors.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit and Risk Committee oversight of cybersecurity risks and the steps that management has taken to monitor and control exposure to such risks.

The Audit and Risk Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) and our Chief Information Officer on our cybersecurity risks and meets in executive session with our CISO following such reports. In addition, management updates the Audit and Risk Committee, as necessary, regarding significant cybersecurity incidents.

The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity.

In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.

Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which in turn, reports regularly to the full Board on its activities.

The CISO supervises both our internal cybersecurity personnel and our retained managed service providers, who among other things, operate security tooling that is deployed in the IT environment and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The CISO brings over 30 years of technology, cybersecurity, and risk management experience from the finance and healthcare industries. His work experience includes the design, implementation, and oversight of control and governance frameworks in complex, hybrid-cloud, and data intensive environments operating in highly regulated entities in the financial services and healthcare insurance industries.

Our information security management team is informed about and monitors efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including managed service providers engaged by us, and alerts and reports produced by security tools deployed in our information technology environment.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit and Risk Committee receives quarterly reports from our Chief Information Security Officer (“CISO”) and our Chief Information Officer on our cybersecurity risks and meets in executive session with our CISO following such reports. In addition, management updates the Audit and Risk Committee, as necessary, regarding significant cybersecurity incidents.

The Audit and Risk Committee reports to the full Board regarding its activities, including those related to cybersecurity.

In 2024, we created a new position for a full time Chief Risk Officer. Our Chief Risk Officer has primary responsibility for our enterprise risk management program and works with our CISO in the oversight of our cybersecurity risk management program.

Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our information technology risk committee is comprised of senior managers in our information technology, loan origination, loan servicing, accounting, and legal groups that meet monthly to review information security risks and the development and implementation of policies and procedures and other controls to mitigate cybersecurity and other information security risks. Our CISO provides a report to our management risk committee on the activities of the information technology risk committee, which in turn, reports regularly to the full Board on its activities.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The CISO brings over 30 years of technology, cybersecurity, and risk management experience from the finance and healthcare industries. His work experience includes the design, implementation, and oversight of control and governance frameworks in complex, hybrid-cloud, and data intensive environments operating in highly regulated entities in the financial services and healthcare insurance industries.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true