FORTRESS CREDIT REALTY INCOME TRUST 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

FORTRESS CREDIT REALTY INCOME TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 15:57:12 EDT.

Filings

10-K filed on 2025-03-28

FORTRESS CREDIT REALTY INCOME TRUST filed a 10-K at 2025-03-28 15:57:12 EDT
Accession Number: 0000950170-25-046739

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our operations are highly dependent on the information systems and technology of Fortress, the indirect affiliate of our Adviser, which has implemented a cybersecurity management program. Below are details Fortress has provided to us regarding its cybersecurity program that are relevant to us. The Company uses Fortress’s cybersecurity program to assess, identify and mange material cybersecurity risks affecting the Company and its operations. Cybersecurity Processes and Risk Assessment Fortress’s cybersecurity program is focused on (i) protecting the confidentiality of business, client, investors in its funds and its employee information; (ii) maintaining the security and availability of systems and data; (iii) supporting compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and its responses; and (v) notification of cybersecurity incidents to, and communications with, appropriate internal and external parties. Fortress has implemented an information security governance policy governing cybersecurity risk, which is designed to facilitate the protection of sensitive or confidential business, client, investor and any employee information that it stores or processes, and the maintenance of critical services and systems. Fortress’s cybersecurity program is managed by Fortress’s Chief Information Security Officer and Fortress’s Chief Technology Officer (together, “Fortress IT Management”), who report to Fortress’s Chief Financial Officer. Fortress IT Management and their team are responsible for implementing Fortress’s monitoring and alert response processes, vulnerability management, changes made to its critical systems, including software and network changes, and various other technological and administrative safeguards. These processes and systems are designed to protect against unauthorized access of information, including by cyber-attacks, and Fortress’s policy and processes include, as appropriate, encryption, data loss prevention technology, authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission of data over private networks. Fortress’s processes and systems aim to prevent or mitigate two main types of cybersecurity risk: first, cybersecurity risks associated with its physical and digital devices and infrastructure and second, cybersecurity risks associated with third parties, such as people and organizations who have access to its devices, infrastructure or confidential or sensitive information. The cybersecurity-control principles that form the basis of Fortress’s cybersecurity program are informed by the National Institute of Standards and Technology Cybersecurity Framework. Fortress’s cybersecurity program includes review and assessment by third parties of the cybersecurity processes and systems. These third parties assess and report on Fortress’s deployment of cybersecurity best practices and industry frameworks and help to identify areas for continued focus and improvement. Annual penetration testing of its network, including critical systems and systems that store confidential or sensitive information, is conducted with third party consultants and vulnerabilities are reviewed by Fortress IT Management for remediation. When Fortress engages vendors and other third-party partners who will have access to sensitive data or client systems and facilities, its infrastructure technology team assesses their cybersecurity programs and processes. Fortress also provides its employees with cybersecurity awareness training at onboarding and annually, as well as interim security reminders and alerts. Fortress conducts regular phishing tests and provides additional training as appropriate. Governance and Oversight of Cybersecurity Risks Fortress has developed an incident response framework to identify, assess and manage cybersecurity events. The framework is managed and implemented by Fortress’s Enterprise Security Steering Committee (the “ESSC”), a cross-functional management committee that includes its General Counsel, Chief Financial Officer, Chief Operating Officer, Chief Compliance Officer, Chief Human Resources Officer and Fortress IT Management. The ESSC is responsible for gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as communicating with business heads and senior management, as appropriate. This framework contemplates conducting simulated cybersecurity incident response exercises with members of senior management on an interim basis in coordination with external cyber counsel. Fortress’s cybersecurity program, which is overseen by the ESSC, is managed by an internal team that is responsible for enterprise-wide cybersecurity strategy, policies, engineering and processes. The team is led by Fortress’s Chief Technology Officer, who has over 30 years of experience advising on technology strategy, including digital transformation, cybersecurity, business analytics and infrastructure, and Fortress’s Chief Information Security Officer, who has over 20 years of experience in the information technology field with a focus on IT risk governance and management, information security, incident response capabilities and assessing effectiveness of controls. The ESSC meets regularly and forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of Fortress’s cybersecurity program. The Company’s board of trustees has delegated the primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management to an audit committee of the board of trustees (the “Audit Committee”). The Company’s CFO periodically reports to the Audit Committee as well as the full board of trustees as appropriate, on cybersecurity matters. Such reporting includes updates on Fortress’s cybersecurity program, the external threat environment and Fortress’s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Fortress’s preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents. Impact of Cybersecurity Risks W e are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Part I. Item 1A. Risk Factors-Risks Related to Our Business and Operations-Our business and operations could suffer in the event of system failures or cybersecurity breaches.”

Company Information