Rithm Capital Corp. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Rithm Capital Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 19:10:50 EST.

Filings

10-K filed on 2026-02-19

Rithm Capital Corp. filed a 10-K at 2026-02-19 19:10:50 EST
Accession Number: 0001556593-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We consider cybersecurity risk management to be an important component of our enterprise risk management program and regularly assess and manage the risks posed by cybersecurity threats. We maintain a cybersecurity program designed to identify, assess, manage and mitigate risks to our information systems, data and operations. This program includes ongoing monitoring, testing and evaluation of our information technology environment for potential vulnerabilities and threats. Our cybersecurity program is led by the Chief Information Security Officer ("CISO") and is integrated into our broader enterprise risk management framework, alongside other significant operational, financial and regulatory risks. Dedicated cybersecurity personnel oversee and monitor the controls, technologies, systems and processes designed to reduce the risk of data loss, theft, unauthorized access, system disruption or other cybersecurity incidents. Key elements of our cybersecurity program include incident response and recovery planning; information security policies and standards; vendor and third-party risk management; employee training and awareness programs, including simulated phishing exercises; participation in industry information-sharing forums; and ongoing internal and external testing of our information systems. Independent testing includes periodic evaluations performed by our internal audit function and annual network penetration testing conducted by third-party specialists . Our processes for identifying and managing material cybersecurity risks are embedded within our overall risk management processes. We also monitor developments in applicable privacy and cybersecurity laws, regulations and guidance in the jurisdictions in which we operate, including, among others, SEC rules, the CCPA and the Gramm-Leach-Bliley Act, as well as emerging regulatory requirements and evolving cybersecurity threats. 71 To address cybersecurity risks associated with third-party service providers , we maintain a third-party risk management program that includes contractual requirements for appropriate data protection and cybersecurity controls and risk-based due diligence during onboarding. Service providers are assigned tiered risk ratings that determine the frequency and scope of ongoing assessments. For key service providers, we obtain and review materials such as System and Organization Control ("SOC") reports, including SOC 1 reports, standard information gathering (SIG) questionnaires and business continuity and disaster recovery documentation . To date, cybersecurity risks, including those arising from known prior cybersecurity incidents, have not materially affected our business strategy, results of operations or financial condition, and we are not aware of any cybersecurity incidents that are reasonably likely to have a material impact on the Company. For additional discussion of cybersecurity-related risks, see Item 1A. "Risk Factors-General Risks-Cybersecurity incidents and technology disruptions or failures could damage our business operations and reputation, increase our costs and subject us to potential liability." Governance Our board of directors oversees the Company's enterprise risk management program, including cybersecurity risk, both directly and through its committees. The Audit Committee, together with the Regulatory Committee, which focuses on regulatory risk structure and governance across all lines of business, oversees the Company's risk management framework and the most significant risks facing the Company over the short-, intermediate- and long-term . These committees receive regular updates and engage in periodic discussions regarding key risk areas, including cybersecurity. The Audit Committee and Regulatory Committee receive reports from the CISO and the Chief Information Officer ("CIO") regarding the Company's cybersecurity posture, enterprise risk profile and risk management policies and processes. The Company has established escalation protocols pursuant to which certain cybersecurity incidents are reported in a timely manner to the Audit Committee and, as appropriate, the full board of directors. The Company employs a risk-based approach to cybersecurity, supported by policies, standards and controls designed to address cybersecurity threats and incidents across its operations. Responsibility for cybersecurity risk management is led by the CISO, who oversees the design and implementation of the Company's information security program and works to enhance the security posture of the Company and its subsidiaries. The CISO coordinates closely with other members of senior management, including the CIO and the Chief Legal Officer, in managing cybersecurity risks . The CISO receives regular reports from cybersecurity personnel regarding threat intelligence, vulnerabilities and incidents and continuously evaluates the effectiveness of cybersecurity controls and risk mitigation measures. The CISO has over 20 years of experience in information technology and information security, including experience at large financial institutions, mortgage companies and banks, and brings expertise in managing complex and regulated security environments.

Company Information