applicable lender. The collateral we pledge generally exceeds the amount of the borrowings under each agreement. If the counterparty to the repurchase agreement defaults on its obligations and we are not able to recover our pledged asset, we are at risk of losing the over-collateralization or haircut. The amount of this exposure is the difference between the amount loaned to us plus interest due to the counterparty and the fair value of the collateral pledged by us to the lender including accrued interest receivable on such collateral. We also use interest rate swaps and other derivatives to manage interest rate risk. Under these agreements, we pledge securities and cash as collateral or settle variation margin payments as part of a margin arrangement. If a counterparty were to default on its obligations, we would be exposed to a loss to a derivative counterparty to the extent that the amount of our securities or cash pledged exceeded the unrealized loss on the associated derivative and we were not able to recover the excess collateral. Additionally, we would be exposed to a loss to a derivative counterparty to the extent that our unrealized gains on derivative instruments exceeded the amount of the counterparty’s securities or cash pledged to us. We monitor our exposure to counterparties across several dimensions including by type of arrangement, collateral type, counterparty type, ratings and geography. Additionally, ALCO has oversight of our counterparty exposure. The following table summarizes our exposure to counterparties by geography at December 31, 2023: Number of Counterparties Secured Financing (1) Interest Rate Swaps at Fair Value Exposure (2) Geography (dollars in thousands) North America 23 $ 48,042,915 $ (29,750) $ 3,225,098 Europe 10 10,403,461 (26,957) 803,497 Asia (non-Japan) 1 447,776 — 16,234 Japan 4 3,807,391 — 310,799 Total 38 $ 62,701,543 $ (56,707) $ 4,355,628 (1) Includes repurchase agreements and other secured financing. (2) Represents the amount of cash and/or securities pledged as collateral to each counterparty less the aggregate of repurchase agreement and other secured financing and derivatives for each counterparty. Operational Risk Management We are subject to operational risk in each of our business and support functions. Operational risk may arise from internal or external sources including human error, fraud, systems issues, process change, vendors, business interruptions and other external events. We manage operational risk through a variety of tools including processes, policies and procedures that cover topics such as business continuity, personal conduct, cybersecurity and vendor management. Other tools include Risk and Control Self Assessment (“RCSA”) testing, including disaster recovery/testing; systems controls, including access controls; training, including phishing exercises and cybersecurity awareness training; and monitoring, which includes the use of key risk indicators. Our Operational Risk Management team conducts a disaster recovery exercise on an annual basis and periodically conducts other operational risk tabletop exercises. Employee-level lines of defense against operational risk include proper segregation of incompatible duties, activity-level internal controls over financial reporting, the empowerment of business units to identify and mitigate operational risk sources, testing by our internal audit staff, and our overall governance framework. Operational Risk Management responsibilities are overseen by the ERC. The ERC is responsible for supporting the Operating Committee in the implementation, ongoing monitoring, and evaluation of the effectiveness of the enterprise-wide risk management framework. This oversight authority includes review of the strategies, processes, policies, and practices established by management to identify, assess, measure, and manage enterprise-wide risk. Cybersecurity is part of our enterprise-wide risk management framework. Processes for assessing, identifying, and managing cybersecurity risks include cybersecurity risk assessments, use of key risk indicators, vendor cybersecurity risk management, employee training, including phishing exercises and cybersecurity awareness training, penetration testing, evaluation of cybersecurity insurance and periodic engagements by our internal audit department, which determines whether our cybersecurity program and information security practices align with relevant parts of the National Institute of Standards and Technology (“NIST”) framework. We periodically engage penetration testing companies and law firms to assist in these processes. When we do so, we hire reputable companies, limit their access to only information necessary for the specific purpose and maintain security controls around confidential information, including personal information. We also maintain a Cybersecurity Incident Response Plan (“Response Plan”) with processes to identify, contain, mitigate and escalate cybersecurity incidents, utilizing cross-functional expertise and external resources as needed. We conduct tabletop exercises to test our Response Plan and our reaction to various business disruption events, and the results of these tabletop exercises are reported to the Cybersecurity Committee and the ERC. ANNALY CAPITAL MANAGEMENT, INC. AND SUBSIDIARIES Item 7. Management’s Discussion and Analysis 76
RkJQdWJsaXNoZXIy NDQ4NTc1