DigitalBridge Group, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

DigitalBridge Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 17:23:20 EST.

Filings

10-K filed on 2024-02-23

DigitalBridge Group, Inc. filed an 10-K at 2024-02-23 17:23:20 EST
Accession Number: 0001679688-24-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an asset manager, our business is highly dependent on information technology networks and systems. In addition, we believe that our position as an investment manager in the digital infrastructure space makes the security of these systems even more important to our Company and various stakeholders. See " Risk Factors Risks Related to our Organizational Structure and Business Operations “. The occurrence of a cybersecurity incident or a failure to implement effective information and cybersecurity policies, procedures and capabilities has the potential to disrupt our operations, cause material harm to our financial condition, result in misappropriation of assets, compromise confidential information and/or damage our business relationships. Accordingly, we have invested significant time and resources into maintaining effective cybersecurity defenses and response plans. We have not experienced any material cybersecurity incidents to date. Cybersecurity Risk Management and Strategy DigitalBridge s risk management program is headed by its Chief Information Officer, the Vice President of Cybersecurity and the Company s Cybersecurity Architect. They possess a diverse portfolio of highly regarded cybersecurity certifications, including certifications with a focus on risk management, and they leverage their extensive cybersecurity experience to effectively manage risk. The Company s information technology ( IT ) team is led by the Company s Chief Information Officer, and employs dedicated security staff who hold well-established cybersecurity certifications. The Company s IT team meets on a recurring basis, and at least quarterly, with the senior members of DigitalBridge Information Technology, Compliance, and Internal Audit departments to assess cybersecurity risks. Additionally, our employees and certain consultants are required to complete cybersecurity training on an annual basis to reinforce awareness of cybersecurity threats and risks to the organization. In addition to internal resources, the Company engages third parties to help test and evaluate the effectiveness and resiliency of the Company s information technology environment, provide recommendations to strengthen the program, and update us on leading cybersecurity protections and practices. The Company also works with a global strategic risk advisory firm on risks related to DigitalBridge portfolio companies. DigitalBridge assesses cybersecurity risk through a process based on the cybersecurity framework established by the U.S. National Institute of Standards and Technology (NIST). Each year, the Company s IT team conducts a series of sessions to discuss and evaluate risk and ranks the potential severity and likelihood of each identified risk, as well as the current and planned controls to mitigate such risks informed by the NIST Risk Management Framework. Based on this analysis, a risk matrix is created, and project plans are developed to prioritize and allocate resources effectively, which are then discussed with key members of management, including the Company s Chief Executive Officer, and are approved by the Company s Data Protection Team ( DPT ), which consists of the Company s Chief Information Officer, Chief Financial Officer, Chief Operating Officer, Chief Compliance Officer, Head of Internal Audit and Chief Legal Officer. Among the risks we assess is the risk of a cybersecurity incident at a third-party service provider. To evaluate and manage this risk, the DigitalBridge cybersecurity team conducts due diligence in connection with onboarding new vendors and performs annual due diligence with our key third-party vendors. Our due diligence process includes inquiries regarding risk management, human resources security, physical and environmental security, compliance, business continuity and contractual obligations. We also seek to collect cybersecurity audit reports and other supporting documentation for review. In addition, we have processes in place to evaluate the potential impact to our information technology networks and systems when we learn of a significant cybersecurity event, including contacting our key vendors to ask if they were impacted and if any Company data was compromised. In addition to the foregoing, the Company s Internal Audit team assesses the design, effectiveness and tests cyber controls, and annually as part of its SOX testing, performs a review of cybersecurity audit reports for the in-scope application vendors. Board Oversight The Company s board of directors ( Board ) is responsible for overseeing and monitoring our risk management processes, including as to cybersecurity-related risks. The Board is assisted in its oversight responsibilities by the standing Board committees, and the audit committee of the Board ( Audit Committee ) is responsible for overseeing our cybersecurity risks. Our Chief Information Officer provides cybersecurity updates and reviews the Company s cybersecurity risks and protection measures with either the Audit Committee or the full Board on at least a semi-annual basis. Topics covered in such meetings have included (i) results of quarterly phishing simulation tests, (ii) results from cybersecurity audits and penetration testing, (iii) review and enhancements to policies (including the Incident Response and Business Continuity policies) and (iv) recent, high profile cybersecurity incidents. The Board and Audit Committee also engage in regular discussions regarding cybersecurity risk management with the Company s senior management and independent and internal auditors. 39 Table of Contents Cybersecurity Incident Response Plan The DPT plays a critical role in the Incident Response Plan ( IRP ) adopted by the Company. The IRP sets forth the processes for containment, review, escalation, recovery from and remediation of any cybersecurity incidents identified by the Company. Under the IRP, any incident that is identified is promptly reviewed by the Incident Response Team ( IRT ), which is a committee of IT members, including the Company s Chief Information Officer. Any incident that the IRT determines may be material to the Company is then escalated to the DPT, which is responsible for overseeing the investigation of and response to such incidents, including ensuring that the Company s senior leadership and Audit Committee are informed and that any notification and regulatory filings are made in a timely manner.

Company Information