DYNEX CAPITAL INC 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

DYNEX CAPITAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:16:22 EST.

Filings

10-K filed on 2026-02-25

DYNEX CAPITAL INC filed a 10-K at 2026-02-25 16:16:22 EST
Accession Number: 0000826675-26-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company recognizes cybersecurity as crucial to protecting its business and employees' sensitive information. The Company has implemented and maintains a security incident response policy as part of its enterprise-wide risk management system, which is intended to ensure that the Company's information technology ("IT") systems function properly and successfully assess, identify, contain, investigate, remedy, report, and respond to information security risks, threats or incidents. The Company's IT services including, but not limited to, service desk support, endpoint management, network and server administration, cloud engineering, and cybersecurity and incident management, are provided by an IT team consisting of third-party consultants who are employed on a contract basis with assistance from the Company's IT employees. Our Chief Operating Officer has management oversight of our IT team, which is comprised of personnel who have extensive skills and experience managing technology and cybersecurity matters. Each of our IT employees and full time dedicated consultants have at least 10 years experience in information technology matters, and many have direct experience managing or implementing systems and processes to anticipate, mitigate, and manage cybersecurity risks. To mitigate the risk of a cybersecurity incident both internally and with third parties, the Company's IT team provides mandatory cybersecurity training for all employees and contractors. They also conduct periodic training and awareness campaigns by sending employees simulated phishing attacks. The results of these simulated phishing attacks are reviewed and periodically reported to our executive officers and other members of management and the Board of Directors or its committees. In addition to training its employees and consultants, the Company's devices and servers are equipped with cybersecurity software applications, which are continuously monitored by an expert third-party managed security service provider ("MSSP") that has numerous certifications recognized in the IT industry and provides security services for several Fortune 100 companies and certain highly secure government agencies. Different data analytics techniques are used to detect suspicious system behavior, provide contextual information, and block malicious activity. If there is a threat or malicious activity detected, the third-party MSSP is immediately alerted for further investigation and remediation. Periodically, the Company engages a third party to 24 perform both internal and external penetration testing to assess strengths and vulnerabilities of the Company's readiness against cyber attacks. The Risk Committee oversees the Company's enterprise risk management program, which includes periodic assessments of cybersecurity risk. As a part of these assessments, the Risk Committee reviews and discusses the Company's policies and practices in place to mitigate cybersecurity-related risks. Our executive officers and other members of management regularly present to the Board of Directors, the Risk Committee, and its other committees on our cybersecurity strategy and activities, results of testing and training, and, as needed, to inform the Board of Directors and the Risk Committee of any new or emerging threats or risks. The Company is not aware of any material breaches in its cybersecurity operations during the three years ended December 31, 2025. Further, the Company has not identified any specific risks from cybersecurity threats that have materially affected or are likely to materially affect the Company, including its business strategy, results of operations, or financial conditions. For more information, please also refer to our risk factor related to our reliance on third-party service providers under Part I, Item 1A, "Risk Factors" of this Annual Report on Form 10-K.

Company Information