Page last updated on July 16, 2024
Franklin BSP Realty Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:35:33 EST.
Filings
10-K filed on 2024-02-26
Franklin BSP Realty Trust, Inc. filed a 10-K at 2024-02-26 16:35:33 EST
Accession Number: 0001562528-24-000008
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. “Cybersecurity” in this report. We are subject to risks from natural disasters such as earthquakes and severe weather, including as the result of global climate changes, which may result in damage to the properties securing our loans. Natural disasters and severe weather such as earthquakes, tornadoes, hurricanes or floods may result in significant damage to the properties securing our loans or in which we invest. In addition, our investments may be exposed to new or increased risks and liabilities associated with global climate change, such as increased frequency or intensity of adverse weather and natural disasters, which could negatively impact our and our borrowers’ businesses and the value of the properties securing our loans or in which we invest. The extent of our or our borrowers’ casualty losses and loss in operating income in connection with such events is a function of the severity of the event and the total amount of exposure in the affected area. While the geographic distribution of our portfolio somewhat limits our physical climate risk, some physical risk is inherent in the properties of our borrowers, particularly in certain borrowers’ locations and in the unknown potential for extreme weather or other events that could occur related to climate change. We may be materially and adversely affected by our exposure to losses arising from natural disasters or severe weather, including those associated with global climate change. In addition, global climate change concerns could result in additional legislation and regulatory requirements, including those associated with the transition to a low-carbon economy, which could increase expenses or otherwise adversely impact our business, results of operations and financial condition, or the business, results of operations and financial condition of our borrowers. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Management and Board Oversight Our Board oversees risk management for the Company including through its approval of the investment policy and other policies of the Company and its oversight of the Advisor. For certain risks, the Board has delegated oversight responsibilities to committees of the Board. For example, the Compensation Committee oversees and reports to the Board on the assessment and mitigation of risks associated with the Company’s and the Advisor’s compensation policies and practices, and the Nominating and Corporate Governance Committee assists our Board with assessing risks associated with conflicts of interest and with ESG matters. Cybersecurity risk management is integrated into this broader risk management framework. The Board has delegated to the Audit Committee oversight of management’s programs and policies to identify, assess, manage, mitigate and monitor significant business risks of the Company, including privacy, information technology and cybersecurity risks. Information Technology and Cybersecurity Risks We have no employees and rely on the Advisor, a wholly-owned subsidiary of Franklin Templeton, to manage our day-to-day operations pursuant to the Advisory Agreement. Therefore, we rely heavily on Franklin Templeton’s information systems and their program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer (“CISO”). The CISO, who reports directly to the Franklin Templeton Executive Vice President, Chief Risk and Transformation Officer, has 28 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 12 years. The CISO provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Advisor uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton’s cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or his delegee. In addition, the Audit Committee approved a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have or are expected to impact the Company, including by impacting the Advisor’s ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy the Advisor and Franklin Templeton are required to notify and brief Company senior management and the Audit Committee with respect to certain matters related to applicable cybersecurity incidents. The policy also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. The Audit Committee oversees, on behalf of the Board, the Company’s privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company’s business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company’s information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company’s privacy, data security and cybersecurity risk exposure. Some members of the Audit Committee have completed certifications in cybersecurity, including one from the National Association of Corporate Directors (NACD) in Cyber-Risk Oversight. On a quarterly basis, the CISO or its delegee report to the Board or Audit Committee on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants (e.g., Cobalt, Crowdstrike and EY) to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs best practice identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. Franklin Templeton and the Advisor recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cyber security procedures. For example, all new hires receive mandatory privacy and information security training. In addition, current employees of the Advisor must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related testing and trainings that we conduct throughout the year. We recognize that third parties that provide information systems used by the Advisor to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton maintains a vendor code of conduct, which is designed to require third party vendors to comply with our requirements for maintenance of passwords, as well as other confidentiality, security, and privacy procedures. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support its preparedness Franklin Templeton has an incident response plan that it regularly updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a comprehensive threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g. ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is initially focused on containing the cybersecurity incident as quickly as possible consistent with the procedures in the incident response plan. Containment procedures may include off-lining systems, including by disconnecting network cable, utilizing network-management tools to isolate the host, altering the DNS entry of impact hosts, and coordinating with service providers. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, and increased network monitoring or logging to identify recurring attacks. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including a forensic investigation firm, a ransomware recovery vendor, a communications firm, and various law firms. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, make adjustments as appropriate and report to our senior management and Audit Committee on these matters. Cybersecurity Risks As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. We and our Advisor routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams; however, we have been able to prevent or sufficiently mitigate harm from such risks. Although the Advisor and Franklin Templeton, on our behalf, make efforts to maintain the security and integrity of the information technology systems the Advisor uses on our behalf, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them are subject to the risk of a security incident or disruption, and there can be no assurances regarding our security efforts and measures or those of our third party providers. See “Item 1A-Risk Factors- Our business could suffer in the event our Advisor or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity.”
Item 1C. Cybersecurity. Management and Board Oversight Our Board oversees risk management for the Company including through its approval of the investment policy and other policies of the Company and its oversight of the Advisor. For certain risks, the Board has delegated oversight responsibilities to committees of the Board. For example, the Compensation Committee oversees and reports to the Board on the assessment and mitigation of risks associated with the Company’s and the Advisor’s compensation policies and practices, and the Nominating and Corporate Governance Committee assists our Board with assessing risks associated with conflicts of interest and with ESG matters. Cybersecurity risk management is integrated into this broader risk management framework. The Board has delegated to the Audit Committee oversight of management’s programs and policies to identify, assess, manage, mitigate and monitor significant business risks of the Company, including privacy, information technology and cybersecurity risks. Information Technology and Cybersecurity Risks We have no employees and rely on the Advisor, a wholly-owned subsidiary of Franklin Templeton, to manage our day-to-day operations pursuant to the Advisory Agreement. Therefore, we rely heavily on Franklin Templeton’s information systems and their program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer (“CISO”). The CISO, who reports directly to the Franklin Templeton Executive Vice President, Chief Risk and Transformation Officer, has 28 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 12 years. The CISO provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Advisor uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton’s cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or his delegee. In addition, the Audit Committee approved a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have or are expected to impact the Company, including by impacting the Advisor’s ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy the Advisor and Franklin Templeton are required to notify and brief Company senior management and the Audit Committee with respect to certain matters related to applicable cybersecurity incidents. The policy also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. The Audit Committee oversees, on behalf of the Board, the Company’s privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company’s business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company’s information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company’s privacy, data security and cybersecurity risk exposure. Some members of the Audit Committee have completed certifications in cybersecurity, including one from the National Association of Corporate Directors (NACD) in Cyber-Risk Oversight. On a quarterly basis, the CISO or its delegee report to the Board or Audit Committee on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants (e.g., Cobalt, Crowdstrike and EY) to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs best practice identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. Franklin Templeton and the Advisor recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cyber security procedures. For example, all new hires receive mandatory privacy and information security training. In addition, current employees of the Advisor must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related testing and trainings that we conduct throughout the year. We recognize that third parties that provide information systems used by the Advisor to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton maintains a vendor code of conduct, which is designed to require third party vendors to comply with our requirements for maintenance of passwords, as well as other confidentiality, security, and privacy procedures. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support its preparedness Franklin Templeton has an incident response plan that it regularly updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a comprehensive threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g. ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is initially focused on containing the cybersecurity incident as quickly as possible consistent with the procedures in the incident response plan. Containment procedures may include off-lining systems, including by disconnecting network cable, utilizing network-management tools to isolate the host, altering the DNS entry of impact hosts, and coordinating with service providers. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, and increased network monitoring or logging to identify recurring attacks. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including a forensic investigation firm, a ransomware recovery vendor, a communications firm, and various law firms. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, make adjustments as appropriate and report to our senior management and Audit Committee on these matters. Cybersecurity Risks As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. We and our Advisor routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams; however, we have been able to prevent or sufficiently mitigate harm from such risks. Although the Advisor and Franklin Templeton, on our behalf, make efforts to maintain the security and integrity of the information technology systems the Advisor uses on our behalf, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them are subject to the risk of a security incident or disruption, and there can be no assurances regarding our security efforts and measures or those of our third party providers. See “Item 1A-Risk Factors- Our business could suffer in the event our Advisor or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity.”
Company Information
Name | Franklin BSP Realty Trust, Inc. |
CIK | 0001562528 |
SIC Description | Real Estate Investment Trusts |
Ticker | FBRT - NYSEFBRT-PE - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |