DigitalBridge Group, Inc. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

DigitalBridge Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:29:40 EST.

Filings

10-K filed on 2025-02-21

DigitalBridge Group, Inc. filed a 10-K at 2025-02-21 16:29:40 EST
Accession Number: 0001679688-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an investment manager, our business is highly dependent on information technology networks and systems. See " Risk Factors-Risks Related to our Organizational Structure and Business Operations “. The occurrence of a cybersecurity incident or a failure to implement effective information and cybersecurity policies, procedures and capabilities has the potential to disrupt our operations, cause material harm to our financial condition, result in misappropriation of assets, compromise confidential information and/or damage our business relationships. Accordingly, we have invested significant time and resources into maintaining effective cybersecurity defenses and response plans. We have purchased cybersecurity insurance, but there are no assurances that the coverage would be adequate in relation to any incurred losses. As of December 31, 2024, we have not experienced any material incidents from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. Cybersecurity Risk Management and Strategy The Company’s risk management program is headed by its Chief Information Officer, Vice President of Cybersecurity and its Cybersecurity Architect . Collectively, they possess a diverse portfolio of highly regarded cybersecurity certifications, including certifications with a focus on risk management, and are able to leverage their extensive cybersecurity experience to effectively manage risk. The Company’s information technology (“IT”) team is led by the Company’s Chief Information Officer, and employs dedicated security staff who hold well-established cybersecurity certifications. The Company’s IT team meets on a recurring basis, and at least quarterly, with senior members of the Information Technology, Compliance, and Internal Audit departments to assess cybersecurity risks. Additionally, our employees and certain consultants are required to complete cybersecurity training on an annual basis to reinforce awareness of cybersecurity threats and risks to the organization. In addition to internal resources, the Company engages third parties to help test and evaluate the effectiveness and resiliency of the Company’s IT environment, provide recommendations to strengthen the program, and provide updates on leading cybersecurity protections and practices. The Company also works with a global strategic risk advisory firm on risks related the portfolio companies of our funds. The Company assesses cybersecurity risk through a process based on the cybersecurity framework established by the U.S. National Institute of Standards and Technology (NIST). Each year, the Company’s IT team conducts a series of sessions to discuss and evaluate risks and ranks the potential severity and likelihood of each identified risk, as well as the current and planned controls to mitigate such risks informed by the NIST Risk Management Framework. Based upon this analysis, a risk matrix is created, and project plans are developed to prioritize and allocate resources effectively, which are then discussed with key members of management, including the Company’s Chief Executive Officer, and approved by the Company’s Data Protection Team (“DPT”). The DPT consists of the Company’s Chief Information Officer, Chief Financial Officer, Chief Operating Officer, Chief Compliance Officer, Head of Internal Audit and Chief Legal Officer. Among the risks assessed is the risk of a cybersecurity incident at a third-party service provider. To evaluate and manage this risk, the cybersecurity team conducts due diligence in connection with onboarding new vendors and performs annual due diligence with our key third-party vendors. Our due diligence process includes inquiries regarding risk management, human resources security, physical and environmental security, compliance, business continuity and contractual obligations. We also seek to collect cybersecurity audit reports and other supporting documentation for review. In addition, we have processes in place to evaluate the potential impact to our IT networks and systems when we learn of a significant cybersecurity event, including contacting our key vendors to determine if they were impacted and if any Company data was compromised. In addition to the foregoing, the Company’s Internal Audit team assesses the design and test the effectiveness of cyber controls, and annually, as part of its internal controls testing, performs a review of service auditor reports for in-scope application vendors. Board Oversight The Company’s board of directors (“Board”) is responsible for overseeing and monitoring our risk management processes, including cybersecurity-related risks. The Board is assisted in its oversight responsibilities by the standing Board committees, and the audit committee of the Board (” Audit Committee “) is responsible for overseeing our cybersecurity risks. Our Chief Information Officer provides cybersecurity updates and reviews the Company’s cybersecurity risks and protection measures with either the Audit Committee or the full Board on at least a semi-annual basis. Topics covered in such meetings have included (i) results of quarterly phishing simulation tests, (ii) results from cybersecurity audits and penetration testing, (iii) review and enhancements to policies (including the Incident Response and Business Continuity policies) and (iv) any recent, high profile cybersecurity incidents. The Board and Audit Committee also engage in regular discussions regarding cybersecurity risk management with the Company’s senior management, internal auditors and independent auditors. Cybersecurity Incident Response Plan The DPT plays a critical role in the Incident Response Plan (“IRP”) adopted by the Company. The IRP sets forth the processes for containment, review, escalation, recovery from and remediation of any cybersecurity incidents identified by the Company. Under the IRP, any incident that is identified is promptly reviewed by the Incident Response Team (“IRT”), which is a committee of IT members, including the Company’s Chief Information Officer. When the IRT determines a cybersecurity is significant, it is escalated to the DPT, who is responsible for overseeing the investigation of and response to such cybersecurity incidents, including ensuring that the Company’s senior leadership and Audit Committee are informed and that notification and regulatory filings are made in a timely manner.

Company Information