Brookfield Asset Management Ltd. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Brookfield Asset Management Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 17:24:26 EDT.

Filings

10-K filed on 2025-03-17

Brookfield Asset Management Ltd. filed a 10-K at 2025-03-17 17:24:26 EDT
Accession Number: 0001937926-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Governance Cybersecurity at our company is overseen by our Board, the Audit Committee and management, as well as through our Enterprise Information Security Policy (“EISP”). The Audit Committee of our Board is responsible for overseeing risk management strategies that are specific to our company, including reviewing management’s assessment of the current and emerging risks and related mitigation strategies across financial and non-financial risks, including cybersecurity risks. Regular reports and updates on cybersecurity risks are made to senior management of BAM. Pursuant to the EISP, executive management has appointed a Chief Information Security Officer (“CISO”), who works closely with senior management, legal counsel and external counsel to develop and monitor our data protection, privacy and cybersecurity program and policies. The CISO provides periodic reports to the Audit Committee, which subsequently reports to the Board about data protection and cybersecurity risks and issues. The CISO has over 20 years’ experience in cybersecurity oversight, holds a Bachelor’s Degree in Computer Science and Economics from York University and holds a number of information security certifications, including: CISSP, CISM, CISA and CRISC. Cybersecurity Risk Management and Strategy We have a cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats. This includes compliance with the EISP. Our cybersecurity program performance and effectiveness are also frequently assessed and audited internally and by third parties . We believe our cybersecurity program is reasonably designed to materially protect the integrity and availability of our information and technology. This program addresses security governance, security awareness, employee training, relevant access and end-point security, vulnerability management, penetration testing, security monitoring and incident response. We use technologies to optimize our security risk detection and response capabilities, in addition to access controls and anti-malware protections. We believe our practices align with the NIST Cybersecurity Framework in meeting and exceeding the industry average in cybersecurity practice. In addition, all employees regularly undergo mandatory continuing cybersecurity training. Employees in higher-risk functions receive additional training and cybersecurity awareness education. Audits, cybersecurity simulations and employee testing results indicate that our program is effective in protecting our information. The effectiveness of these programs is evaluated regularly through both internal and third-party audits. In 2024, we undertook the following initiatives: further enhanced our data protection and threat-intelligence capabilities; improved our processes for third-party risk management ; continued mandatory cybersecurity education for all employees; and incorporated social engineering to our phishing simulations. When we engage third parties, we have policies and processes to govern their access and reduce the risks associated with their access. For example, all third-party access must be authorized and have a legitimate business need. Prior to authorization and granting access, the terms and conditions of such access must be agreed to as part of a formal agreement or contract. In addition, all authorized third-party access must be limited, monitored and controlled as appropriate. Our systems face cybersecurity risks, and we have in the past experienced threats to our data and systems. However, to date, these incidents have not had a material impact on our business strategy, results of operations, or financial condition. We can provide no assurance that we will not experience any material cybersecurity threats or incidents in the future. See “Part I-Item 1A. Risk Factors-Failure to maintain the security of our information and technology systems could have a material adverse effect on us”.

Company Information