Franklin BSP Realty Trust, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Franklin BSP Realty Trust, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:47:52 EST.

Filings

10-K filed on 2026-02-25

Franklin BSP Realty Trust, Inc. filed a 10-K at 2026-02-25 16:47:52 EST
Accession Number: 0001562528-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. "Cybersecurity" in this report. Our use of or failure to adopt advancements in information technology, such as artificial intelligence, may hinder or prevent us from achieving strategic objectives or otherwise harm our business. Our use of or inability to safely and effectively adopt and deliver new technological capabilities and enhancements in line with strategic objectives, including artificial intelligence, may put us at a competitive disadvantage, including by failure to achieve efficiencies achieved by our competitors, or by misusing such technologies in ways that result in operational disruptions, reputation damage or legal liability exposure. Although our Advisor has adopted policies with respect to these risks, including related to the development, deployment and monitoring of artificial intelligence tools, we cannot be certain that such policies will be effective. We are subject to risks from natural disasters such as earthquakes and severe weather, including as the result of global climate changes, which may result in damage to the properties securing our loans. Natural disasters and severe weather such as earthquakes, tornadoes, hurricanes or floods may result in significant damage to the properties securing our loans or in which we invest. In addition, our investments may be exposed to new or increased risks and liabilities associated with global climate change, such as increased frequency or intensity of adverse weather and natural disasters, which could negatively impact our and our borrowers' businesses and the value of the properties securing our loans or in which we invest. The extent of our or our borrowers' casualty losses and loss in operating income in connection with such events is a function of the severity of the event and the total amount of exposure in the affected area. While the geographic distribution of our portfolio somewhat limits our physical climate risk, some physical risk is inherent in the properties of our borrowers, particularly in certain borrowers' locations and in the unknown potential for extreme weather or other events that could occur related to climate change. We may be materially and adversely affected by our exposure to losses arising from natural disasters or severe weather, including those associated with global climate change. In addition, global climate change concerns could result in additional legislation and regulatory requirements which could increase expenses or otherwise adversely impact our business, results of operations and financial condition, or the business, results of operations and financial condition of our borrowers. Risks Relating to Regulatory Matters Failure to maintain certain qualifications and licenses could adversely affect our results of operations. Current laws and regulations impose qualification and licensing obligations on our business, in addition to imposing requirements and restrictions affecting, among other things: loan originations, interest rates, finance and other fees that we may charge, disclosures to borrowers, the terms of secured transactions, collection, repossession and claims handling procedures, personnel qualifications and other trade practices. Our business is also subject to inspection by certain state regulatory authorities. Any failure to comply with these requirements could result in a variety of consequences, including, but not limited to, the loss of the licensure required to originate, sell, or service loans, the inability to procure additional approvals or licenses, the inability to enforce our contracts, and administrative enforcement actions. In addition, to maintain our status as an approved lender for Fannie Mae and Freddie Mac and as a HUD-approved mortgagee and issuer of Ginnie Mae securities, we are required to meet and maintain various eligibility criteria established by these entities, such as minimum net worth, operational liquidity and collateral requirements and compliance with reporting requirements. We are required to originate loans and perform our loan servicing functions in accordance with the applicable program requirements and guidelines established by these agencies. If we fail to comply with the requirements of any of these programs, the agencies may terminate or withdraw our licenses and approvals to participate in the GSE or HUD programs. In addition, the agencies have the authority under their guidelines to terminate a lender's authorization to sell loans to them and service their loans. The loss of one or more of these approvals would have a material adverse impact on our operations and could result in further disqualification with other counterparties. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Management and Board Oversight Our Board oversees risk management for the Company including through its approval of the investment policy and other policies of the Company and its oversight of the Advisor. For certain risks, the Board has delegated oversight responsibilities to committees of the Board. For example, the Compensation Committee oversees and reports to the Board on the assessment and mitigation of risks associated with the Company's and the Advisor's compensation policies and practices, and the Nominating and Corporate Governance Committee assists our Board with assessing risks associated with conflicts of interest and with ESG matters. Cybersecurity risk management is integrated into this broader risk management framework. The Board has delegated to the Audit Committee oversight of management's programs and policies to identify, assess, manage, mitigate and monitor significant business risks of the Company, including privacy, information technology and cybersecurity risks. Information Technology and Cybersecurity Risks We rely on the Advisor, a wholly-owned subsidiary of Franklin Templeton, to manage our day-to-day operations pursuant to the Advisory Agreement, including our information technology infrastructure and cybersecurity. Therefore, we rely heavily on Franklin Templeton's information systems and their program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer ("CISO"). The CISO, who reports directly to the Franklin Templeton Executive Vice President, Chief Risk and Transformation Officer, has 31 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 14 years. The CISO provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Advisor uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton's cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or his delegee. In addition, the Audit Committee approved a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have impacted or are expected to impact the Company, including by impacting the Advisor's ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy the Advisor and Franklin Templeton are required to notify and brief Company senior management and the Audit Committee with respect to certain matters related to applicable cybersecurity incidents. The policy also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. The Audit Committee oversees, on behalf of the Board, the Company's privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company's business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company's information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company's privacy, data security and cybersecurity risk exposure. Some members of the Audit Committee have completed certifications in cybersecurity, including one from the National Association of Corporate Directors (NACD) in Cyber-Risk Oversight. On a quarterly basis, the CISO or its delegee report to the Board or Audit Committee on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. Franklin Templeton and the Advisor recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cyber security procedures. For example, new hires receive mandatory privacy and information security training. In addition, current employees of the Advisor must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related awareness activities and trainings that we conduct throughout the year. We recognize that third parties that provide information systems used by the Advisor to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton requires third party vendors to comply with our confidentiality, security, and privacy requirements. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support its preparedness Franklin Templeton has an incident response plan that it periodically updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event and assessing the severity of the event. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is responsible for deciding on a containment strategy to respond to the cybersecurity incident consistent with the procedures in the incident response plan. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions or validation of files or data that may have been affected. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, identify potential adjustments as appropriate and report to our senior management and Audit Committee on these matters. Cybersecurity Risks As of December 31, 2025, we have not had any known instances of material cybersecurity incidents, including third-party incidents, during any of the prior three fiscal years . We and our Advisor routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams; however, we have been able to prevent or sufficiently mitigate harm from such risks. See "Item 1A-Risk Factors-Our business could suffer in the event our Advisor or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity."
Item 1C. Cybersecurity. Management and Board Oversight Our Board oversees risk management for the Company including through its approval of the investment policy and other policies of the Company and its oversight of the Advisor. For certain risks, the Board has delegated oversight responsibilities to committees of the Board. For example, the Compensation Committee oversees and reports to the Board on the assessment and mitigation of risks associated with the Company's and the Advisor's compensation policies and practices, and the Nominating and Corporate Governance Committee assists our Board with assessing risks associated with conflicts of interest and with ESG matters. Cybersecurity risk management is integrated into this broader risk management framework. The Board has delegated to the Audit Committee oversight of management's programs and policies to identify, assess, manage, mitigate and monitor significant business risks of the Company, including privacy, information technology and cybersecurity risks. Information Technology and Cybersecurity Risks We rely on the Advisor, a wholly-owned subsidiary of Franklin Templeton, to manage our day-to-day operations pursuant to the Advisory Agreement, including our information technology infrastructure and cybersecurity. Therefore, we rely heavily on Franklin Templeton's information systems and their program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer ("CISO"). The CISO, who reports directly to the Franklin Templeton Executive Vice President, Chief Risk and Transformation Officer, has 31 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 14 years. The CISO provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Advisor uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton's cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or his delegee. In addition, the Audit Committee approved a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have impacted or are expected to impact the Company, including by impacting the Advisor's ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy the Advisor and Franklin Templeton are required to notify and brief Company senior management and the Audit Committee with respect to certain matters related to applicable cybersecurity incidents. The policy also designates responsibility to specified members of our senior management for Company disclosure determinations related to the incident. The Audit Committee oversees, on behalf of the Board, the Company's privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company's business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company's information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company's privacy, data security and cybersecurity risk exposure. Some members of the Audit Committee have completed certifications in cybersecurity, including one from the National Association of Corporate Directors (NACD) in Cyber-Risk Oversight. On a quarterly basis, the CISO or its delegee report to the Board or Audit Committee on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. Franklin Templeton and the Advisor recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cyber security procedures. For example, new hires receive mandatory privacy and information security training. In addition, current employees of the Advisor must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related awareness activities and trainings that we conduct throughout the year. We recognize that third parties that provide information systems used by the Advisor to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton requires third party vendors to comply with our confidentiality, security, and privacy requirements. Third-party IT vendors are also subject to additional diligence such as questionnaires and inquiries. As discussed above, to support its preparedness Franklin Templeton has an incident response plan that it periodically updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt our network or networks of our vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event and assessing the severity of the event. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is responsible for deciding on a containment strategy to respond to the cybersecurity incident consistent with the procedures in the incident response plan. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions or validation of files or data that may have been affected. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, identify potential adjustments as appropriate and report to our senior management and Audit Committee on these matters. Cybersecurity Risks As of December 31, 2025, we have not had any known instances of material cybersecurity incidents, including third-party incidents, during any of the prior three fiscal years . We and our Advisor routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachment to emails, phishing attempts, extortion or other scams; however, we have been able to prevent or sufficiently mitigate harm from such risks. See "Item 1A-Risk Factors-Our business could suffer in the event our Advisor or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity."

Company Information