XML 39 R20.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
The Company recognizes cybersecurity as crucial to protecting its business and employees’ sensitive information. The Company has implemented and maintains a Security Incident Response Policy as part of its enterprise-wide risk management system, which is intended to ensure that the Dynex information technology (“IT”) systems function properly and successfully assess, identify, contain, investigate, remedy, report, and respond to information security risks, threats or incidents.
The Company’s IT services including, but not limited to, service desk support, endpoint management, network and server administration, cloud engineering, and cybersecurity and incident management, are provided by an IT team consisting of primarily third-party consultants who are employed on a contract basis with assistance from the Company’s IT employees. Our IT team reports directly to the Company’s Chief Technology Officer (“CTO”) for executive oversight and accountability.
To mitigate the risk of a cybersecurity incident both internally and with third parties, the Company’s IT team provides mandatory cybersecurity training for all employees and contractors. They also conduct periodic training and awareness campaigns by sending employees simulated phishing attacks. The results of these simulated phishing attacks are reviewed and reported to management and the Board of Directors. In addition to training its employees and consultants, the Company’s devices and servers are equipped with cybersecurity software applications, which are continuously monitored by an expert third-party managed security service provider that has numerous certifications recognized in the IT industry and provides security services for several Fortune 100 companies and certain highly secure government agencies. Different data analytics techniques are used to detect
suspicious system behavior, provide contextual information, and block malicious activity. Any detected threat or malicious activity will immediately alert the security team for further investigation and remediation. Periodically, the Company engages a third party to perform both internal and external penetration testing to assess strengths and vulnerabilities of the Company’s readiness against cyber attacks.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
The Company recognizes cybersecurity as crucial to protecting its business and employees’ sensitive information. The Company has implemented and maintains a Security Incident Response Policy as part of its enterprise-wide risk management system, which is intended to ensure that the Dynex information technology (“IT”) systems function properly and successfully assess, identify, contain, investigate, remedy, report, and respond to information security risks, threats or incidents.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee oversees the Company’s enterprise risk management program, which includes periodic assessments of cybersecurity risk. As a part of these assessments, the Audit Committee reviews and discusses the risks identified by management and the Company’s policies and practices in place to mitigate those cybersecurity-related risks. Management presents to the Board of Directors on our cybersecurity strategy, results of testing and training, and, as needed, to inform the Board of Directors and Audit Committee of any new or emerging threats or risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee oversees the Company’s enterprise risk management program, which includes periodic assessments of cybersecurity risk.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Management presents to the Board of Directors on our cybersecurity strategy, results of testing and training, and, as needed, to inform the Board of Directors and Audit Committee of any new or emerging threats or risks
Cybersecurity Risk Role of Management [Text Block]
To mitigate the risk of a cybersecurity incident both internally and with third parties, the Company’s IT team provides mandatory cybersecurity training for all employees and contractors. They also conduct periodic training and awareness campaigns by sending employees simulated phishing attacks. The results of these simulated phishing attacks are reviewed and reported to management and the Board of Directors. In addition to training its employees and consultants, the Company’s devices and servers are equipped with cybersecurity software applications, which are continuously monitored by an expert third-party managed security service provider that has numerous certifications recognized in the IT industry and provides security services for several Fortune 100 companies and certain highly secure government agencies. Different data analytics techniques are used to detect
suspicious system behavior, provide contextual information, and block malicious activity. Any detected threat or malicious activity will immediately alert the security team for further investigation and remediation. Periodically, the Company engages a third party to perform both internal and external penetration testing to assess strengths and vulnerabilities of the Company’s readiness against cyber attacks
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit Committee oversees the Company’s enterprise risk management program, which includes periodic assessments of cybersecurity risk. As a part of these assessments, the Audit Committee reviews and discusses the risks identified by management and the Company’s policies and practices in place to mitigate those cybersecurity-related risks. Management presents to the Board of Directors on our cybersecurity strategy, results of testing and training, and, as needed, to inform the Board of Directors and Audit Committee of any new or emerging threats or risks.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] To mitigate the risk of a cybersecurity incident both internally and with third parties, the Company’s IT team provides mandatory cybersecurity training for all employees and contractors. They also conduct periodic training and awareness campaigns by sending employees simulated phishing attacks. The results of these simulated phishing attacks are reviewed and reported to management and the Board of Directors. In addition to training its employees and consultants, the Company’s devices and servers are equipped with cybersecurity software applications, which are continuously monitored by an expert third-party managed security service provider that has numerous certifications recognized in the IT industry and provides security services for several Fortune 100 companies and certain highly secure government agencies.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
To mitigate the risk of a cybersecurity incident both internally and with third parties, the Company’s IT team provides mandatory cybersecurity training for all employees and contractors. They also conduct periodic training and awareness campaigns by sending employees simulated phishing attacks. The results of these simulated phishing attacks are reviewed and reported to management and the Board of Directors. In addition to training its employees and consultants, the Company’s devices and servers are equipped with cybersecurity software applications, which are continuously monitored by an expert third-party managed security service provider that has numerous certifications recognized in the IT industry and provides security services for several Fortune 100 companies and certain highly secure government agencies. Different data analytics techniques are used to detect
suspicious system behavior, provide contextual information, and block malicious activity. Any detected threat or malicious activity will immediately alert the security team for further investigation and remediation. Periodically, the Company engages a third party to perform both internal and external penetration testing to assess strengths and vulnerabilities of the Company’s readiness against cyber attacks.
The Audit Committee oversees the Company’s enterprise risk management program, which includes periodic assessments of cybersecurity risk. As a part of these assessments, the Audit Committee reviews and discusses the risks identified by management and the Company’s policies and practices in place to mitigate those cybersecurity-related risks. Management presents to the Board of Directors on our cybersecurity strategy, results of testing and training, and, as needed, to inform the Board of Directors and Audit Committee of any new or emerging threats or risks.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true