Blackstone Infrastructure Strategies L.P. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Blackstone Infrastructure Strategies L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 16:06:17 EST.

Filings

10-K filed on 2025-03-07

Blackstone Infrastructure Strategies L.P. filed a 10-K at 2025-03-07 16:06:17 EST
Accession Number: 0001193125-25-049864

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy BXINFRA’s day-to-day operations are managed by Blackstone Infrastructure Strategies Associates L.P. (the “General Partner”) subject to certain oversight rights held by the Board of Directors. The General Partner has delegated BXINFRA’s portfolio management function to Blackstone Infrastructure Advisors L.L.C. (the “Investment Manager”). The General Partner and the Investment Manager are individually and collectively referred to as the “Sponsor.” Our executive officers are senior Blackstone professionals and our General Partner and Investment Manager are both subsidiaries of Blackstone. As such, we are reliant on Blackstone for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details Blackstone has provided to us regarding its cybersecurity program that are relevant to us. Blackstone maintains a comprehensive cybersecurity program, including policies and procedures designed to protect its systems, operations, and the data utilized and entrusted to it, including by BXINFRA, from anticipated threats or hazards. Blackstone utilizes a variety of protective measures as a part of its cybersecurity program. These measures include, where appropriate, physical and digital access controls, patch management, identity verification and mobile device management software, new hire and annual employee cybersecurity awareness and best practices training programs, security baselines and tools to report anomalous activity, and monitoring of data usage, hardware and software. Blackstone tests its cybersecurity defenses regularly through automated and manual vulnerability scanning, to identify and remediate critical vulnerabilities. In addition, it conducts annual “white hat” penetration tests to validate its security posture. Blackstone examines its cybersecurity program every two to three years with third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as those established by the National Institute of Standards and Technology and Center for Internet Security, as guidelines. Further, Blackstone engages in cybersecurity incident tabletop exercises and scenario planning exercises involving hypothetical cybersecurity incidents to test its cybersecurity incident response processes. Blackstone’s Chief Security Officer (the “CSO”) and members of Blackstone’s senior management, Legal and Compliance, Technology and Innovations (“BXTI”) and Global Corporate Affairs participate in these exercises. Learnings from these tabletop exercises and any cybersecurity events Blackstone experiences are reviewed, discussed, and incorporated into its incident response processes as appropriate. In addition to Blackstone’s internal exercises to test aspects of its cybersecurity program, Blackstone periodically engages independent third parties to analyze data on the interactions of users of Blackstone information technology resources, including Blackstone employees, and conduct penetration tests and scanning exercises to assess the performance of Blackstone’s cybersecurity systems and processes. Blackstone has a comprehensive Security Incident Response Plan (the “IRP”), designed to inform the proper escalation (including, as appropriate, to our senior management) of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a Security Incident Response Team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate the event and determine the extent of external advisor support required, including from external counsel, forensic investigators, and/or law enforcement. The IRP sets out ongoing monitoring or remediating actions to be taken after resolution of an incident. The IRP is reviewed at least annually by members of BXTI and Blackstone’s Legal and Compliance. Blackstone maintains a formal cybersecurity risk management process and cybersecurity risk register, designed to identify, track and treat cybersecurity risks at the firm, and integrates these processes into the firm’s overall risk management practices described above. Blackstone’s CSO periodically discusses and reviews cybersecurity risks and related mitigants with its enterprise risk committee and incorporates relevant cybersecurity risk updates and metrics in the semi-annual enterprise-wide risk management report. Blackstone has a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors, including those of companies sponsored by Blackstone such as BXINFRA. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of Blackstone data accessed or processed by a third-party vendor. On the basis of its preliminary risk assessment of a third-party vendor, Blackstone may conduct further cybersecurity reviews or request remediation of, or contractual protections related to, any actual or potential identified cybersecurity risks. In addition, where appropriate, Blackstone seeks to include in its contractual arrangements with certain of its third-party vendors provisions addressing its requirements and industry best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit and test such vendors’ cybersecurity programs and practices. Blackstone also utilizes a number of digital controls, which are reviewed at least annually, to monitor and manage third-party access to its internal systems and data. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on Blackstone in managing these risks, see “-Item 1A. Risk Factors - Cyber Security and Operational Risk” in this Annual Report on Form 10-K. Cybersecurity Governance Blackstone has a dedicated cybersecurity team, led by Blackstone’s CSO, who works closely with Blackstone senior management, including Blackstone’s Chief Technology Officer (“CTO”), to develop and advance the firm’s cybersecurity program and strategy, which applies to BXINFRA. Blackstone’s CSO and CTO have extensive experience in cybersecurity and technology, respectively. Blackstone’s CSO is a Senior Managing Director in BXTI and is responsible for all aspects of cyber and physical security across Blackstone. He has over 25 years of information security, technology and engineering experience, including having previously led the international security organization at a large credit bureau. Blackstone’s CTO is a Senior Managing Director and the head of BXTI. Blackstone’s CTO has over 23 years of information security, technology and engineering experience, including having previously served as the Chief Technology and Chief Innovation Officer at a large financial institution. Blackstone’s CTO is responsible for all aspects of technology across Blackstone, advises Blackstone’s investment teams and acts as a resource to portfolio companies on technology-related matters. BXTI conducts periodic cybersecurity risk assessments, including assessments or audits of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The CSO and CTO are responsible for the review of Blackstone’s cybersecurity framework annually as well as on an event-driven basis as necessary. The CSO and CTO also review the scope of Blackstone’s cybersecurity measures periodically, including in the event of a change in business practices that may implicate the security or integrity of Blackstone’s information and systems. BXINFRA’s Board of Directors and its Audit Committee are responsible for understanding the primary risks to our business. The Audit Committee is responsible for reviewing BXINFRA’s and the Sponsor’s IT security controls with management and evaluating the adequacy of BXINFRA’s and the Sponsor’s IT security program, compliance and controls with management. Blackstone’s CSO will report to BXINFRA’s Board of Directors and/or Audit Committee periodically on cybersecurity matters, including risks facing BXINFRA and the Sponsor and, as applicable, certain incidents. In addition to such periodic reports, BXINFRA’s Board of Directors and/or Audit Committee will receive periodic reports and/or updates from management on the primary cybersecurity risks facing BXINFRA and the Sponsor and the measures we and the Sponsor are taking to mitigate such risks. In addition to such reports, the Board of Directors and/or Audit Committee will receive updates from management regarding changes to BXINFRA’s and the Sponsor’s cybersecurity risk profile or certain newly identified risks.

Company Information