AB Commercial Real Estate Private Debt Fund, LLC 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

AB Commercial Real Estate Private Debt Fund, LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 15:30:58 EDT.

Filings

10-K filed on 2024-04-01

AB Commercial Real Estate Private Debt Fund, LLC filed an 10-K at 2024-04-01 15:30:58 EDT
Accession Number: 0001193125-24-083290

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We have processes in place to assess, identify, and manage material risks from cybersecurity threats. Our business is dependent on the communications and information systems of the Investment Manager and other third-party service providers. The Investment Manager manages our day-to-day operations and has implemented the Investment Manager s Information Security Program ( ISP ) that applies to the Company and its operations. We rely on the digital technology of the Investment Manager to conduct our business operations and engage with our clients and business partners. The technology that our Investment Manager, clients, and business partners rely upon becomes more complex over time as do threats to our business operations from cyber intrusions, denial of service attacks, manipulation and other cyber misconduct. Information Security is an ongoing process of exercising due care that is designed to protect corporate, client and employee information and systems from unauthorized access, destruction, disclosure, disruption and modification of use. 71 Table of Contents Through a combination of security, risk and compliance resources, the Investment Manager implements information security through a dedicated ISP that is intended to identify, assess and manage material risks from cybersecurity threats applicable to the Company, and which includes a focus on safeguarding information and assets from cyber threats, engaging in cyber threat monitoring and responding to actual or potential cyber incidents. Our ISP is led by the Investment Manager s Chief Information Security Officer ( CISO ) who actively partners with the Investment Manager s Chief Compliance Officer and Chief Risk Officer and, in turn, the Company s Board and Secretary. Ultimately, we rely on the Investment Manager s full enterprise risk framework, which includes the ISP, information technology, business continuity, resiliency and cybersecurity risk, in combination with a broader risk management team, including the Investment Manager s Chief Security Officer. The Investment Manager s CISO, with assistance from internal and external resources, is responsible for implementing and providing oversight of the ISP that applies to the Company. The ISP employs a defense-in-depth strategy: an information assurance concept in which multiple layers of security controls are distributed throughout an operating environment. The concept manages risk with diverse defensive strategies, so that if one layer of defense fails, another layer of defense will attempt to compensate. The ISP features cybersecurity policies, standards and guidelines, committee governance, training, access controls and data controls. The ISP, together with related risk and compliance resources, is designed to proactively manage the risk of threat from cybersecurity incidents through (i) implementing protocols to take cybersecurity considerations into account in adopting and onboarding our technology resources, (ii) monitoring IT controls to better ensure compliance with cybersecurity and other related legal and regulatory requirements, (iii) assessing adherence by critical and material third parties we partner with to ensure that the appropriate risk management standards are met, (iv) ensuring essential business functions remain available during a business disruption, and (v) regularly developing and updating response plans to address potential IT or cyber incidents should they occur. The Investment Manager s security, risk and compliance resources are designed to prioritize IT and cybersecurity risk areas, identify solutions that minimize such risks, pursue optimal outcomes and maintain compliance standards. We also rely on the Investment Manager s ISP to maintain an operation security function that has a real time response capability that triages potential incidents and triggers impact mitigation protocols. Additionally, we rely on the Investment Manager to utilize third parties to conduct periodic cybersecurity assessments, including assessments impacting the Company, and the Investment Manager s internal audit function includes certain cyber risk audits as part of any overall risk audit. We rely on the Investment Manager to review the recommendations and findings from those assessments and audits and implement corrective and other measures as appropriate and as may be relevant to the Company. The Investment Manager s cybersecurity processes rely predominantly on internal resources, but also include important third party resources for certain matters, including the aforementioned assessments as well as our continuous cybersecurity threat monitoring and initial incident reporting system. As part of the ISP that is applicable to the Company, the Investment Manager also performs cyber risk assessments on the Company s critical and material third party vendors during onboarding and periodically thereafter. During the reporting period, we have not had a cybersecurity incident that has materially affected, or was reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. There are risks from cybersecurity threats that if they were to occur could materially affect our business strategy, results of operations or financial condition, including as discussed in Item 1A. Risk factors A failure in cyber security systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning could impair our ability to conduct business effectively , although we do not currently believe that such a result is reasonably likely. Cyber Risk Governance The Board provides strategic oversight over the Company generally, including oversight of risks associated with cybersecurity threats. The Investment Manager s CISO and the Company s Secretary periodically report to the Board on the status of the Investment Manager s ISP, cybersecurity risks, risk management policies and risk assessment initiatives. Such reports particularly emphasize any material risks concerning the Company. The Secretary of the Company relies on the Investment Manager s Chief Compliance Officer to assist with assessing and managing material risks from cybersecurity threats. The Investment Manager s Chief Compliance Officer has 12 years of experience in the financial services industry, and during such time has acquired relevant experience overseeing and actively managing cybersecurity and information security programs for financial services companies with complex information systems. The Company s Secretary has been responsible for the general oversight function as Secretary to the Company since its inception and has worked in the financial services industry for 10 years. 72 Table of Contents Management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company, including through the receipt of notifications from service providers and reliance on communications with ISP personnel of the Investment Manager.

Company Information