Franklin BSP Real Estate Debt, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Franklin BSP Real Estate Debt, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:31:18 EDT.

Filings

10-K filed on 2025-03-31

Franklin BSP Real Estate Debt, Inc. filed a 10-K at 2025-03-31 16:31:18 EDT
Accession Number: 0001104659-25-029919

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Management and Board Oversight Our Board will oversee risk management for the Company including through its approval of the investment policy and other policies of the Company and its oversight of the Adviser. For certain risks, the Board may delegate oversight responsibilities to committees of the Board. The Board has delegated to the Audit Committee responsibilities for monitoring the Company’s risk assessment, risk management and risk mitigation policies and programs, including matters relating to privacy and cybersecurity. Information Technology and Cybersecurity Risks We have no employees and will rely on the Adviser to manage our day-to-day operations pursuant to the Advisory Agreement. Therefore, we rely heavily on Franklin Templeton’s information systems and their program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer (“CISO”). The CISO, who reports directly to the Franklin Templeton Executive Vice President, Chief Risk and Transformation Officer, has 30 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 13 years. The CISO will provide regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. 37 In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Adviser uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton’s cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or his delegee. In addition, the Audit Committee approved a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have impacted or are expected to impact the Company, including by impacting the Adviser’s ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy the Adviser and Franklin Templeton are required to notify and brief Company senior management and the Board with respect to certain matters related to applicable cybersecurity incidents. The policy also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. The Audit Committee will oversee the Company’s privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company’s business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company’s information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company’s privacy, data security and cybersecurity risk exposure. We expect that on a quarterly basis, the CISO or its delegee report to the Audit Committee or the Board on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. Franklin Templeton and the Advisor recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cyber security procedures. For example, new hires receive mandatory privacy and information security training. In addition, current employees of the Adviser must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related awareness activities and trainings that we conduct throughout the year. We recognize that third parties that provide information systems used by the Adviser to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton requires third party vendors to comply with our confidentiality, security, and privacy requirements. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support its preparedness Franklin Templeton has an incident response plan that it periodically updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. 38 Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event and assessing the severity of the event. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is responsible for deciding on a containment strategy to respond to the cybersecurity incident consistent with the procedures in the incident response plan. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions or validation of files or data that may have been affected. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, identify potential adjustments as appropriate and report to our senior management and Board on these matters. Cybersecurity Risks As of December 31, 2024, we are not aware of any instances of material cybersecurity incidents that impacted the Company since its inception. We and our Adviser routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams; however, we have been able to prevent or sufficiently mitigate harm from such risks. See Item 1A " Risk Factors-General Risks Related to an Investment in Our Common Stock-Our business could suffer in the event our Adviser or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity ."

Company Information