KKR & Co. Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

KKR & Co. Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:28:06 EST.

Filings

10-K filed on 2025-02-28

KKR & Co. Inc. filed a 10-K at 2025-02-28 16:28:06 EST
Accession Number: 0001404912-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Governance KKR’s Chief Information Security Officer (the “KKR CISO”) leads an information security team (the “KKR information security team”) whose responsibilities include securing data from unauthorized use or access. The cybersecurity strategy and program at KKR’s asset management business includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about KKR’s security policies. Prior to joining KKR, KKR’s CISO was the CISO at another large financial institution where he was responsible for their global information security program. KKR’s CISO also has prior experience in various information security roles, including security architecture, application security, engineering and operations. He holds a Bachelor of Science in computer science from the New York University Polytechnic School of Engineering, is a Certified Information Systems Security Professional (CISSP) and holds a Series 99 - Operations Professional Exam certification. The KKR CISO is a member of the firm’s Operational Risk Committee. The Operational Risk Committee is comprised of senior employees from across our asset management business and operating functions. The committee focuses on significant operating and business risks, which includes among others, regulatory, cybersecurity, operational, geopolitical, and reputational risks, and is responsible for ensuring risks are identified, assessed, managed and mitigated effectively. The cybersecurity risk environment for KKR’s asset management business, which includes identifying and monitoring KKR’s technology risks, including those related to information security, business disruption, fraud and privacy related risks, and also promoting cybersecurity awareness at the firm. The Operational Risk Committee reports to KKR’s Risk and Operations Committee, which is comprised of senior employees from across our asset management and insurance businesses and operating functions. KKR’s Risk and Operations Committee includes our Chief Financial Officer, Chief Operating Officer, Chief Legal Officer and General Counsel, Chief Compliance Officer. At least annually, management will present to the Audit Committee and the Risk Committee of our Board of Directors on various topics relating to KKR’s technology risks, including KKR’s cybersecurity program, the current cybersecurity threat landscape, and risk management. KKR also has a Chief Information Security Officer dedicated to our insurance business (the “Global Atlantic CISO”), who has more than 20 years of experience in various information security and technology roles. The Global Atlantic CISO leads an information security team that is focused on overseeing the cybersecurity strategy and program for Global Atlantic, which includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about Global Atlantic’s security policies. The Global Atlantic CISO reports at least annually to the operations & technology committee of Global Atlantic’s board of directors (whose members include non-executive directors unaffiliated with KKR) and members of KKR’s Risk and Operations Committee. The Global Atlantic CISO also provides ad hoc reporting to Global Atlantic’s management-level committees and Global Atlantic’s board of directors and its risk committee. Material information regarding information security affecting our insurance business is also reported to KKR’s Risk and Operations Committee and to the Audit Committee or Risk Committee of KKR’s Board of Directors. Cybersecurity Risk Management and Strategy KKR’s asset management business has a cybersecurity incident response plan, which was developed taking into account industry standard guidance provided by institutes such as the National Institute of Standards and Technology. This plan is a key component of the cybersecurity program, which is generally incorporated within our enterprise risk management framework. The KKR CISO and KKR’s Chief Compliance Officer co-chair a cybersecurity incident response team (“KKR CIRT”), which aims to manage and mitigate the risk and impact of cybersecurity breach events at KKR’s asset management business, including those arising from third-party service providers, including those providers that have access to KKR’s customer and employee data. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform cybersecurity-related diligence on third parties that have access to our systems, data or facilities. In addition to the KKR CISO and our Chief Compliance Officer, the KKR CIRT includes members of the firm’s legal, technology, compliance, risk, public affairs, human capital and finance groups. KKR has established a notification decision framework to determine when the KKR CIRT will provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including the Risk and Operations Committee, senior members of management, and our Board of Directors or its committees. The KKR information security team undertakes a variety of measures to monitor and manage the cybersecurity risks of KKR’s asset management business. Our technology platforms and applications are designed to enable us to monitor user and network behavior at KKR’s asset management business, identify threats using certain analytics, and mitigate attacks across various layers of the enterprise. The KKR information security team conducts regular internal and external audits with third-party cybersecurity experts to identify and evaluate potential weaknesses in our cybersecurity systems. In addition, the KKR information security team conducts periodic phishing simulations, as well as periodic employee training on KKR’s security policies and controls and provides other security trainings as part of new employee onboarding. KKR also has a cybersecurity incident response plan that is specific to our insurance business. The plan sets forth the roles and responsibilities of the Global Atlantic incident response team, which is comprised of Global Atlantic employees representing key business functions at our insurance business and is overseen by the Global Atlantic CISO. Global Atlantic utilizes several mechanisms to monitor and manage the cybersecurity risks of our insurance business, including to prevent, and prepare to respond to, an incident. This includes maintaining relationships with external incident response organizations, performing periodic cybersecurity risk assessments, overseeing and monitoring risks from cybersecurity threats associated with third-party service providers, and ensuring that Global Atlantic employees complete security awareness training relating to cybersecurity best practices. Global Atlantic also has a cybersecurity notification framework in place to determine when appropriate notifications and escalations are required to be provided to senior members of Global Atlantic’s management, members of Global Atlantic’s board of directors and members of KKR’s Risk and Operations Committee, certain members of which would, as appropriate, report such information to our Board of Directors or its Audit Committee or Risk Committee. As of the date of this filing, we do not believe that our business strategy, results of operations or financial conditions have been materially affected by any cybersecurity incidents for the period covered by this report. However, institutions like us, as well as our employees, service providers and other third parties, have experienced information security and cybersecurity attacks in the past and will likely continue to be the target of increasingly sophisticated cyber actors. For a discussion of how risks from cybersecurity threats may affect us, see “Part 1 Item 1A. Risk Factors-“Risks Related to Our Business-Cybersecurity failures and data security breaches may disrupt or have a material adverse impact on our businesses, operations and investments.”

Company Information