Rithm Capital Corp. - (RITM)
10-K Filing Date: February 17, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We prioritize the management of cybersecurity risk and regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity program.
We use a combination of cyber security personnel, documented processes and purpose-driven technologies and monitoring systems to identify, protect, detect, respond and recover from security incidents. These encompass incident response procedures, information security and vendor management and a combination of participation in industry consortiums, continuous monitoring, internal, as well as independent testing of systems, and team member education. Our independent testing includes both (i) periodic testing and evaluations performed by our internal audit firm and (ii) annual network penetration testing conducted through independent third parties. Our processes for assessing, identifying and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. As part of these processes, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business (including, but not limited to, SEC rules, the CCPA and the Gramm-Leach-Bliley Act, as further described under the caption “Business—Regulations”), as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks.
Additionally, in order to reduce cybersecurity risk related to the use of third-party service providers, we (i) obligate our service providers to adhere to privacy and cyber security measures and (ii) perform risk assessments of each new service provider during onboarding based on, among other things, the nature of their business and the type of information we provide to such service providers. Each service provider is then ranked in a tier, which tier determines the frequency and extent of evaluation for the service provider. We additionally collect SIG, SOC 1 reports and Business Continuity and Disaster Recovery documents from each of our key service providers.
To date, cybersecurity risks, including those resulting from any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. We do not believe that cybersecurity risks resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect us. Refer to the risk factor captioned “Cybersecurity incidents and technology disruptions or failures could damage our business operations and reputation, increase our costs and subject us to potential liability” in Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company.
Governance
Our board of directors oversees the Company’s risk management process, including cybersecurity risks, directly and through its committees. The Audit Committee of the board, in conjunction with the Mortgage and Regulatory Compliance Committee (the “MRC Committee”), which focuses on the risk structure and governance related to the Mortgage Company’s mortgage servicing and origination business, oversees the Company’s risk management program, which focuses on the most significant risks the Company faces in the short-, intermediate-, and long-term timeframe. Audit Committee meetings and MRC Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports from the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”) on the Company’s enterprise risk profile and the Company’s risk treatment policies and processes on a quarterly basis or as needed.
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity policies throughout its operations that are designed to address cybersecurity threats and incidents. In particular, the CISO is focused on assessing, managing, mitigating and reporting on cybersecurity threats and risks.
The CISO, in conjunction with the CIO, the Chief Risk Officer and the Chief Legal Officer, manages the Company’s cyber security posture. The current CISO has more than 20 years of experience in information security and information technology, including previously serving as the CISO for multiple large multinational corporations. In addition to his extensive work experience, the CISO holds a Bachelor of Science in Business Administration with an emphasis on Management of Information Systems from Alliant University and a Master of Science in Business Administration with an emphasis on Information Systems Audit from California State Polytechnic University. The CISO has the following certifications: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Fraud Examiner (CFE) and Federal Bureau of Investigations (FBI) CISO Academy Graduate. The CISO reports to the CIO and management on cybersecurity threats on a regular basis.
The CISO monitors the Company’s cybersecurity posture through the Security Incident Response Team, which consists of key individuals in the legal, human resources, compliance, privacy, risk and information security departments across Rithm Capital
69
and its operating companies. Any escalations will then be raised by the CISO and CIO to Company management who will work with the CISO and CIO to determine the appropriate remediation effort.
At the employee level, we maintain an experienced information technology team tasked with implementing our privacy and cybersecurity program and support the CISO in carrying out reporting, security and mitigation functions. We also hold employee trainings on privacy and cybersecurity, as well as records and information management, and we conduct phishing tests. We generally seek to promote awareness of cybersecurity risk through communication and education of our employee population.