We also have processes in place to oversee and identify material risks from cybersecurity threats associated with our use of third party service providers, including mortgage loan servicers and sub-servicers, upon which we depend on to perform various business processes related to our operations. Our vendor management policy establishes procedures for engaging, onboarding and monitoring the performance of third party vendors. For mortgage loan servicers and sub-servicers, these procedures include assessing a vendor’s financial health as well as oversight of its compliance with applicable laws and regulations, cybersecurity and business continuity programs and security of personally identifiable information. We also have processes to evaluate and classify cybersecurity risk related to sensitive data held by key third party service providers on their systems. The Cybersecurity Committee has primary responsibility for these processes to manage cybersecurity risks, under the oversight of the ERC. Daily monitoring of cybersecurity defenses is performed by the IT Infrastructure Team and any issues are escalated to the Cybersecurity Committee as needed. The Cybersecurity Committee regularly meets to discuss both routine oversight of cybersecurity processes, policies and procedures and management of any cyber-specific events, including escalation to the ERC, the executive leadership team and/or the Board as appropriate. The Cybersecurity Committee includes representatives from Operational Risk Management, Information Technology, Legal, Mortgage Operations and Internal Control. Certain members of the Cybersecurity Committee have relevant qualifications such as extensive work experience implementing data security measures, developing cybersecurity policies and procedures, and assessing, managing and reporting cybersecurity risk. Members also participate in cybersecurity-related professional organizations that discuss industry threats, challenges and solutions to cybersecurity issues. Our Head of IT Infrastructure has completed the "Cybersecurity: Managing Risk in the Information Age" certificate program from Harvard University. The Cybersecurity Committee regularly discusses cybersecurity risk management and best practices with the ERC and with the Audit and Risk Committees of our Board. The Audit and Risk Committees jointly oversee processes, practices and policies related to cybersecurity and receive joint and individual presentations from management and external experts on cyber and technology-related risks. Two members of our Board have completed the Carnegie Mellon/NACD Cyber-Risk Oversight Program and earned the CERT Certificate in Cybersecurity Oversight and one member of our Board has completed the NACD Master Class: Cyber-Risk Oversight Program. To date, we have not detected any risks from cybersecurity threats that have materially affected us. However, even though we take steps to employ reasonable cybersecurity efforts, not every cybersecurity incident can be prevented or detected. We also may be held responsible for cybersecurity threats affecting our third party service providers, including mortgage sub-servicers. Therefore, while we believe there are currently no risks from any potential cybersecurity threat or cybersecurity incident that are reasonably likely to have a material effect on our business strategy, results of operations or financial condition, the likelihood or severity of such risks are difficult to predict. For further discussion, please see the risk factors titled "We are highly dependent on information systems and networks, many of which are operated by third parties, and any failure of these systems or networks could materially and adversely affect our business" and "Cyberattacks or other information security breaches could adversely affect our business, reputation and financial condition" in Part I, Item 1A. “Risk Factors” in this Annual Report on Form 10-K. Compliance, Regulatory and Legal Risk Management Our business is organized as a REIT, and we seek to continue to meet the requirements for taxation as a REIT. The determination that we are a REIT requires an analysis of various factual matters and circumstances. Accordingly, we closely monitor our REIT status within our risk management program. We also regularly assess our risk management in respect of our regulated and licensed subsidiaries, which include our registered broker-dealer subsidiary Arcola, our subsidiary that is registered with the SEC as an investment adviser under the Investment Advisers Act and our subsidiary that operates as a licensed mortgage aggregator and master servicer. The financial services industry is highly regulated and receives significant attention from regulators, which may impact both our company and our business strategy. Our investments in residential whole loans and MSR require us to comply with applicable state and federal laws and regulations and maintain appropriate governmental licenses, approvals and exemptions. We proactively monitor the potential impact regulation may have both directly and indirectly on us. We maintain a process to actively monitor both actual and potential legal action that may affect us. Our risk management framework is designed to identify, measure and monitor these risks under oversight of the ERC. We currently rely on the exemption from registration provided by Section 3(c)(5)(C) of the Investment Company Act, and we seek to continue to meet the requirements for this exemption from registration. The determination that we qualify for this exemption from registration depends on various factual matters and circumstances. Accordingly, in conjunction with our legal department, we closely monitor our compliance with Section 3(c)(5)(C) within our risk management program. Compliance with Section 3(c)(5)(C) of the Investment Company Act is monitored by the FRDC under the oversight of the ERC. ANNALY CAPITAL MANAGEMENT, INC. AND SUBSIDIARIES Item 7. Management’s Discussion and Analysis 77
RkJQdWJsaXNoZXIy NDQ4NTc1