Apollo Realty Income Solutions, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Apollo Realty Income Solutions, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:21:43 EDT.

Filings

10-K filed on 2024-03-11

Apollo Realty Income Solutions, Inc. filed an 10-K at 2024-03-11 16:21:43 EDT
Accession Number: 0000950170-24-029303

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy As an externally managed REIT, the Company’s risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of the Adviser, an indirect subsidiary of Apollo. Apollo determines and implements appropriate risk management processes and strategies as it relates to cybersecurity for the Company and other affiliated entities managed by Apollo, and the Company relies on Apollo for assessing, identifying and managing material risks to the Company’s business from cybersecurity threats. The Apollo Global Management, Inc. (“AGM”) board of directors is involved in overseeing Apollo’s risk management program, including with respect to cybersecurity, which is a critical component of Apollo’s overall approach to enterprise risk management (“ERM”). Apollo’s cybersecurity policies and practices are fully integrated into its ERM framework through its reporting, risk management and oversight channels and are based, in part, on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. As one of the critical elements of Apollo’s overall ERM approach, Apollo’s cybersecurity program is focused on the following key areas: Governance: As discussed further under the heading “Cybersecurity Governance,” the AGM board of directors has an oversight role, as a whole and at the committee level, in overseeing management of Apollo’s risks, including its cybersecurity risks. Apollo’s Chief Information Security Officer (“CISO”) and the CISO of Athene Holding Ltd., a subsidiary of AGM, with support from the 43 Table of Contents broader Apollo Technology team, are responsible for information security strategy, policies and practices, as well as, as appropriate, with the Company’s executive officers and other representatives of the Adviser and its affiliates. Collaborative Approach: Apollo utilizes a cross-functional approach involving stakeholders across multiple departments, including Apollo Compliance, Legal, Technology, Operations, Risk and others, aimed at identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of potentially material cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, in consultation with the Company’s management and its board of directors, as applicable, in a timely manner. Technical Safeguards: Apollo deploys technical safeguards that are designed to protect its information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved on an ongoing basis using vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: Apollo has established and maintains incident response and recovery plans that address its response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management: Apollo maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems, as well as the systems of third parties that could adversely impact its business and the business of its externally managed entities such as the Company, in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: Apollo provides regular, mandatory training for personnel regarding cybersecurity threats to equip its personnel with effective tools to help mitigate cybersecurity threats, and to communicate its evolving information security policies, standards, processes and practices. Apollo engages in the periodic assessment and testing of its policies and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of its cybersecurity measures. Apollo regularly engages third parties, including auditors and consultants, to perform assessments on its cybersecurity measures, including information security maturity assessments, audits and independent reviews of its information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to Apollo’s risk management function, and Apollo adjusts its cybersecurity policies and practices as necessary based on the information provided by these assessments, audits and reviews. Cybersecurity threat risks have not materially affected the Company, including its business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see Item 1A. Risk Factors Risks Related to Our Organizational Structure Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, a misappropriation of funds, and/or damage to our business relationships, all of which could negatively impact our financial results. Cybersecurity Governance The AGM board of directors’ oversight of cybersecurity risk management is supported by the audit committee of the AGM board of directors (the “AGM audit committee”), the AAM Global Risk Committee (“AGRC”), the Operational Risk Forum (the “ORF”), the Cybersecurity Working Group and management. The AGM board of directors, the AGM audit committee, the AGRC, the ORF and the Cyber Security Working Group receive regular updates on Apollo’s information technology, cybersecurity risk profile and strategy, and risk mitigation plans from Apollo’s risk management professionals, AGM’s Chief Security Officer (“CSO”), its CISO, and other members of Apollo’s management and relevant management committees and working groups. The Cyber Security Working Group is chaired by the CISO and has representation from Apollo’s Technology, Legal, Compliance, and ERM teams. The group meets at least once a quarter to discuss cybersecurity and risk mitigation activities, among other topics. The CISO regularly reports to the ORF regarding cyber risk, and the ORF in turn reports to the AGRC on a quarterly basis, noting any cyber updates when necessary or appropriate. In turn, AGM’s board of directors and/or the AGM audit committee receive quarterly risk updates from risk management professionals, as well as at least annual updates on cyber risk specifically. The full AGM board of directors or the AGM audit committee receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, as well as from AHL’s CISO, at least annually . AGM’s CSO holds an undergraduate degree in Management Information Systems and Business Administration, which he received magna cum laude. He has over 25 years of cyber-related experience, having served in various roles in technology and cybersecurity, including as Head of IT Risk Management, Executive Director of IT & Risk Compliance, and Global IT Risk Evaluation Lead at large financial institutions and consulting firms. He was also previously AGM’s CISO for nearly eight years. AGM’s CISO holds a master’s degree in Business Information Systems and has served in various roles in information technology and information security for over 25 years across a number of large financial institutions, including as Director, Cybersecurity and Risk. The AGM CISO, in coordination with the Apollo Technology and ERM teams, works collaboratively across Apollo to implement a program designed to protect its information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance 44 Table of Contents with its incident response and recovery plans. To facilitate the success of Apollo’s cybersecurity risk management program, multidisciplinary teams throughout Apollo are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the AGM audit committee or AGM board of directors, as appropriate. As part of the risk management oversight (including oversight of cyber risks) of the audit committee of the Company’s board of directors and the Company’s board of directors, both the audit committee and board of directors regularly interact with, and receive reports from, management of the Company, the Adviser, Apollo, and other service providers. The audit committee of the Company’s board of directors and the Company’s board of directors receive presentations and reports on cybersecurity risks from AGM’s CSO or CISO, at least annually, and they address a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to Apollo’s peers and third parties. Additionally, Apollo and other service providers periodically report to management as it relates to the Company’s cybersecurity practices. Apollo’s cybersecurity incident response plan provides for proper escalation of identified cybersecurity threats and incidents, including, as appropriate, to the Company’s management. These discussions provide a mechanism for the identification of cybersecurity threats and incidents, assessment of cybersecurity risk profile or certain newly identified risks relevant to the Company, the Adviser, and evaluation of the adequacy of the Company’s cybersecurity program (as coordinated through the Adviser and Apollo), including risk mitigation, compliance and controls.

Company Information