Rithm Property Trust Inc. 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 18, 2025

Rithm Property Trust Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 18:52:42 EST.

Filings

10-K filed on 2025-02-14

Rithm Property Trust Inc. filed a 10-K at 2025-02-14 18:52:42 EST
Accession Number: 0001614806-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are an externally managed company and our day-to-day operations are managed by our New Manager and our officers under the oversight of our Board of Directors. We are reliant on our New Manger, in identifying, assessing and managing material risks to our business from cybersecurity threats. Risk Management and Strategy Our New Manager, through Rithm, maintains a comprehensive cybersecurity program and regularly assesses any risk of cybersecurity threats. In doing so, Rithm continuously monitors and tests our information systems for potential vulnerabilities pursuant to our cybersecurity program. Rithm’s cybersecurity program is led by its interim Chief Information Security Officer (“CISO”) and is part of its overall enterprise risk management program. Rithm’s dedicated cybersecurity personnel supervise and monitor our controls, technologies, systems and other processes utilized to mitigate any data loss, theft, exploitation, unauthorized access or other vulnerabilities that may affect our information or data. Specifically, Rithm’s cybersecurity program consists of incident response procedures, information security and vendor management due diligence, as well as participation in industry consortiums, ongoing monitoring, internal and independent testing of information systems and continuous employee education and simulations. Rithm’s independent testing includes both (i) periodic testing and evaluations performed by its internal audit team and (ii) annual network penetration testing conducted through independent third parties. Rithm’s processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into its overall risk management system and processes. As part of these processes, Rithm monitors the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. Additionally, in order to reduce cybersecurity risks related to our use of third-party service providers, Rithm (i) obligates our service providers to adhere to strict privacy and cybersecurity measures and (ii) performs risk assessments of each new service provider during onboarding based on, among other things, the nature of their business and the type of information we provide to such service providers. Each service provider is assigned a tiered risk rating, which determines the frequency and extent of evaluation for the service provider. Furthermore, Rithm collects and evaluates SIG, SOC 1 reports and Business Continuity and Disaster Recovery documents for our key service providers. 41 To date, we have not experienced a material cybersecurity breach and no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. While the New Manager has implemented processes and procedures that it believes are tailored to address and mitigate the cybersecurity threats that our Company faces, there can be no assurances that such an incident will not occur despite our efforts, as more fully described in Item 1A. Risk Factors. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on our New Manager managing these risks, see “Part 1. Item 1A. Risk Factors - Risks Related to Our Company - Security breaches and other cyber-security incidents could result in a loss of data, interruptions in our business, subject us to regulatory action and increased costs, each of which could have a material adverse effect on our business and results of operations.” in this Annual Report. Governance Our Board of Directors oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. The Audit Committee of the Board of Directors, in conjunction with the New Manager, oversees the Company’s risk management program, which focuses on the most significant risks the Company faces in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports from Rithm’s CISO and Chief Information Officer (“CIO”) on the Company’s enterprise risk profile and the Company’s risk treatment policies and processes on a quarterly basis or as needed. Additionally, Rithm has protocols by which certain cybersecurity incidents would be escalated in a timely manner to our Audit Committee and Board of Directors. The New Manager, through Rithm, takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the CISO is focused on assessing, managing, mitigating and reporting on cybersecurity threats and risks. The CISO plays a critical role in protecting the Company’s assets, data and reputation by developing a robust security strategy and security awareness. Rithm’s current CISO brings over 20 years of experience in IT operations and information security with a proven track record working in large financial institutions, mortgage companies and banks, with expertise in managing complex security environments. The CISO, in conjunction with other executive leaders such as the CIO and the Chief Legal Officer, manages the Company’s cybersecurity posture. In doing so, the CISO receives regular reports prepared by our experienced cybersecurity personnel on cybersecurity threats and continuously reviews risk management measures implemented by the Company to help identify and mitigate data protection and cybersecurity risks. At the employee level, the New Manager maintains an experienced information technology team tasked with implementing our privacy and cybersecurity program and support the CISO in carrying out reporting, security and mitigation functions. The New Manager also holds employee trainings on privacy and cybersecurity, as well as records and information management, and it conduct phishing tests. We generally seek to promote awareness of cybersecurity risk through communication and education of our employee population.

Company Information