TPG RE Finance Trust, Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

TPG RE Finance Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:12:22 EST.

Filings

10-K filed on 2024-02-20

TPG RE Finance Trust, Inc. filed an 10-K at 2024-02-20 16:12:22 EST
Accession Number: 0001630472-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an externally managed company, our business is highly dependent on the communications and information systems of our Manager, its affiliates and third-party service providers. Our Manager is an affiliate of TPG, a leading global alternative asset management firm, founded in San Francisco in 1992, with $222 billion of assets under management (as of December 31, 2023) and investment and operational teams around the world. TPG invests across a broadly diversified set of strategies, including private equity, impact, credit, real estate and market solutions. We, in conjunction with our Manager and TPG, have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. These processes include responses to and assessments of internal and external threats to the security, confidentiality, integrity and availability of our and TPG s data and systems along with other material risks to firm operations. As part of its collective risk management process, TPG engages outside providers to conduct periodic internal and external penetration testing. TPG also uses the NIST Cybersecurity Framework to assess our cybersecurity controls. TPG stores data, including ours, in cloud environments with security that we believe is appropriate for the data involved, and has adopted controls around, among other things, vendor risk assessment, access and acceptable use and backup and recovery. Governance Our board of directors has responsibility for the direction and oversight of our risk management. Our board of directors administers this oversight function directly, with support from its committees. In particular, the audit committee of our board of directors (the audit committee ) has the responsibility to consider and discuss our major financial risk exposures and the steps our Manager takes, or is required to take, to monitor and control these exposures, including guidelines and policies to govern the process by which risk assessment and management is undertaken. Our audit committee also monitors compliance with legal and regulatory requirements, in addition to overseeing the performance of our internal audit function. With respect to cybersecurity, the audit committee engages in regular discussions with management regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from material cybersecurity threats. In addition, TPG s chief information security officer briefs the audit committee on TPG s information security program and cybersecurity risks at least annually, and will brief the audit committee as needed in connection with any potentially material cybersecurity incidents affecting the Company. Annual briefings of the audit committee by TPG s chief information security officer typically include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. As an externally managed company, we rely on TPG s information systems in connection with our day-to-day operations. Consequently, we also rely on the processes for assessing, identifying, and managing material risks from cybersecurity threats undertaken by TPG. TPG has established an enterprise risk committee ( ERC ) to manage overall risk, including cybersecurity risks identified by the cybersecurity team. The ERC includes representatives from relevant functions and is led by TPG s chief executive officer. TPG has also established an operational risk committee ( ORC ) which is responsible for applying the policy decisions of the ERC. Operational responsibility for ensuring the adequacy and effectiveness of TPG s risk management, control and governance processes is assigned to TPG s chief information security officer, who reports, among other things, potentially material cybersecurity incidents to the ORC and, in coordination with TPG s chief information officer, reports to the ERC at least annually. TPG s chief information security officer leads TPG s cybersecurity team, which includes individuals dedicated to incident detection and response. This team is responsible for identifying threats that can impact TPG and the Company, and designing controls to mitigate vulnerabilities before they are exploited and to detect and neutralize any threats that do materialize. TPG s chief information security officer and TPG s chief information officer each have more than 20 years of experience in their fields. TPG s chief information security officer and other senior members of TPG s cybersecurity team hold industry standard certifications. TPG employs processes to oversee and identify material risks associated with the use of third-party service providers, taking into account the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider. As of the date of this report, we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. 64 Table of Contents

Company Information