Rithm Capital Corp. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

Rithm Capital Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 06:49:30 EST.

Filings

10-K filed on 2025-02-18

Rithm Capital Corp. filed a 10-K at 2025-02-18 06:49:30 EST
Accession Number: 0001556593-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We prioritize the management of cybersecurity risk and regularly assess any risk of cybersecurity threats. In doing so, we continuously monitor and test our information systems for potential vulnerabilities pursuant to our cybersecurity program. Our cybersecurity program, led by our interim Chief Information Security Officer (“CISO”), is part of our overall enterprise risk management program, along with other significant risks that we face. Our dedicated cybersecurity personnel supervise and monitor our controls, technologies, systems and other processes utilized to mitigate any data loss, theft, exploitation, unauthorized access or other vulnerabilities that may affect our information or data. Specifically, our cybersecurity program consists of incident response procedures, information security and vendor management due diligence, as well as participation in industry consortiums, ongoing monitoring, internal and independent testing of information systems and continuous employee education and simulations. Our independent testing includes both (i) periodic testing and evaluations performed by our internal audit team and (ii) annual network penetration testing conducted through independent third parties . Our processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. As part of these processes, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business (including, but not limited to, 67 SEC rules, the CCPA and the Gramm-Leach-Bliley Act, as further described under the caption “Business-Regulations”), as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. Additionally, in order to reduce cybersecurity risks related to our use of third-party service providers , we (i) obligate our service providers to adhere to strict privacy and cybersecurity measures and (ii) perform risk assessments of each new service provider during onboarding based on, among other things, the nature of their business and the type of information we provide to such service providers. Each service provider is assigned a tiered risk rating, which determines the frequency and extent of evaluation for the service provider. Furthermore, we collect and evaluate SIG, SOC 1 reports and Business Continuity and Disaster Recovery documents for our key service providers. To date, cybersecurity risks, including those resulting from any previous cybersecurity incidents, have not materially affected us, our business strategy, results of operations or financial condition. We do not believe that cybersecurity risks resulting from any previous cybersecurity incidents, of which we are aware, are reasonably likely to materially affect us. Refer to the risk factor captioned “Cybersecurity incidents and technology disruptions or failures could damage our business operations and reputation, increase our costs and subject us to potential liability” in Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company. Governance Our board of directors oversees the Company’s risk management program, including our cybersecurity program, both directly and through several committees created as part of our risk governance program. Specifically, the Audit Committee of the board, in conjunction with the Regulatory Committee (the “Regulatory Committee”), which focuses on the risk structure and governance related to regulatory risk throughout all lines of business, oversees the Company’s risk management program, which focuses on the most significant risks the Company faces in the short-, intermediate-, and long-term timeframe. Audit Committee meetings and Regulatory Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports from the CISO and Chief Information Officer (“CIO”) on the Company’s enterprise risk profile and the Company’s risk treatment policies and processes on a quarterly basis or as needed. Additionally, we have protocols by which certain cybersecurity incidents are escalated in a timely manner to the Audit Committee and the board of directors. The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the CISO is focused on assessing, managing, mitigating and reporting on cybersecurity threats and risks and is tasked with overseeing and enhancing the security posture of the Company and it subsidiaries. This role involves prioritizing and implementing security initiatives across all organizational units. The CISO plays a critical role in protecting the Company’s assets, data and reputation by developing a robust security strategy and security awareness. Our current CISO brings over 20 years of experience in IT operations and information security with a proven track record working in large financial institutions, mortgage companies and banks, with expertise in managing complex security environments. The CISO, in conjunction with other executive leaders such as the CIO and the Chief Legal Officer, manages the Company’s cybersecurity posture. In doing so, the CISO receives regular reports prepared by our experienced cybersecurity personnel on cybersecurity threats and continuously reviews risk management measures implemented by the Company to help identify and mitigate data protection and cybersecurity risks.

Company Information