TPG RE Finance Trust, Inc. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

TPG RE Finance Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:49:48 EST.

Filings

10-K filed on 2025-02-18

TPG RE Finance Trust, Inc. filed a 10-K at 2025-02-18 16:49:48 EST
Accession Number: 0001630472-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an externally managed company, our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of TPG, a leading global alternative asset manager with $246 billion in assets under management as of December 31, 2024. TPG offers a broad range of investment strategies across the alternative asset management landscape, primarily in private equity, credit, and real estate. We, in conjunction with our Manager and TPG, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. These processes include risk assessments of internal and external threats to the confidentiality, integrity and availability of our and TPG’s data and systems along with other material risks to firm operations. These risk assessments inform TPG’s cybersecurity program and the continued development of a layered set of controls aimed at preventing, detecting and responding to threats. TPG’s administrative, organizational, technical and physical security controls include, but are not limited to, policies and procedures, system hardening vulnerability scanning and patching, employee training and awareness, third-party risk management processes , backup and recovery processes, access controls, data encryption in transit and at rest, network perimeter controls, and identity verification. TPG also has policies and controls in place designed to detect and respond to cybersecurity events, including an incident response plan, an incident response team with dedicated roles and responsibilities for assessing and responding to a cybersecurity event, system logging and ongoing monitoring, and periodic training exercises simulating cybersecurity events that are designed to raise awareness and test the TPG team’s response readiness capabilities. The nature, scope and effectiveness of these controls are regularly reviewed through a series of internal and external processes. TPG’s cybersecurity team performs both automated monitoring on a continuous basis and manual reviews of key controls. TPG also conducts annual assessments of TPG’s cybersecurity program using industry standard cybersecurity frameworks, such as the NIST Cybersecurity Framework as benchmarks to perform TPG’s evaluation. This does not imply that TPG fully meets any particular industry standards, specifications or requirements. In addition, independent reviews of TPG’s cybersecurity control effectiveness are conducted by TPG’s internal audit team on a periodic basis. TPG also engages external providers to conduct periodic external assessments, including penetration testing. Governance Our board of directors has responsibility for the direction and oversight of our risk management. Our board of directors administers this oversight function directly, with support from its committees. In particular, the audit committee of our board of directors (the “audit committee”) has the responsibility to consider and discuss our major financial risk exposures and the steps our Manager takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our audit committee also monitors compliance with legal and regulatory requirements, in addition to overseeing the performance of our internal audit function. With respect to cybersecurity, the audit committee engages in regular discussions with management regarding the Company’s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. Pursuant to our Cybersecurity Policy, our audit committee has appointed a dedicated member of the board of directors who is primarily responsible for our cybersecurity oversight (the “Board Cyber Lead”). TPG’s chief information security officer periodically briefs the audit committee and/or the Board Cyber Lead on TPG’s information security program and cybersecurity risks, and will brief the Board Cyber Lead or audit committee as needed in connection with any potentially material cybersecurity incidents affecting the Company. Periodic briefings of the Board Cyber Lead and/or audit committee by TPG’s chief information security officer typically include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. As an externally managed company, we rely on TPG’s information systems in connection with our day-to-day operations. Consequently, we also rely on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by TPG. TPG has established an enterprise risk committee (“ERC”) to manage overall risk, including cybersecurity risks identified by TPG’s cybersecurity team. The ERC includes representatives from relevant functions and is led by TPG’s chief executive officer. TPG has also established an operational risk committee (“ORC”) which is responsible for applying the policy decisions of the ERC. Operational responsibility for ensuring the adequacy and effectiveness of TPG’s risk management, control and governance processes is assigned to TPG’s chief information security officer , who periodically reports, among other things, potentially material cybersecurity incidents to the ORC and reports to the ERC at least annually. TPG’s cybersecurity team also regularly coordinates with other key stakeholders within TPG, including compliance, human resources, internal audit and legal. TPG’s chief information security officer leads TPG’s cybersecurity team, which is responsible for implementing, maintaining and enforcing TPG’s cybersecurity program. TPG’s chief information security officer previously held various leadership roles within the technology risk department of one of the world’s largest banking institutions over a 17-year period. He holds a Bachelor of Science in Electrical Engineering and Mathematics from the University of Texas at Arlington and is a Certified Information Systems Security Professional (CISSP). TPG’s cybersecurity team possesses a variety of cybersecurity skill sets and extensive expertise obtained through decades of experience, numerous industry certifications, and advanced degrees. TPG’s cybersecurity team continues to take steps to maintain up-to-date knowledge of evolving cybersecurity threats and countermeasures. TPG employs processes to oversee and identify material risks associated with the use of third-party service providers, taking into account the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider. As of the date of this report, we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Cyber criminals do, however, target us, TPG and TPG’s employees and other third parties. Ongoing or future attacks such as these could have impacts on our or TPG’s operations. For additional information on these ongoing risks, please refer to “Part 1. Item 1A. Risk Factors- Operational risks, including the risks of cyberattacks, may disrupt our businesses, result in losses or limit our growth”.

Company Information