DigitalBridge Group, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

DigitalBridge Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:21:05 EST.

Filings

10-K filed on 2026-02-26

DigitalBridge Group, Inc. filed a 10-K at 2026-02-26 16:21:05 EST
Accession Number: 0001679688-26-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. As an investment manager, our business is highly dependent on information technology networks and systems. See " Risk Factors-Risks Related to our Organizational Structure and Business Operations ". The occurrence of a cybersecurity incident or a failure to implement effective information and cybersecurity policies, procedures and capabilities has the potential to disrupt our operations, cause material harm to our financial condition, result in misappropriation of assets, compromise confidential information and/or damage our business relationships. Accordingly, we have invested significant time and resources into maintaining effective cybersecurity defenses and response plans. We have purchased cybersecurity insurance, but there are no assurances that the coverage would be adequate in relation to any incurred losses. Although we have experienced phishing and similar attempts for unauthorized access to our information technology systems, we have not experienced any known instances of material cybersecurity threats, including third-party incidents during the past three years. Similar to other firms in the financial sector, the Company continues to face an evolving cybersecurity threat landscape and evaluates emerging risks on an ongoing basis. Cybersecurity Risk Management and Strategy The Company's risk management program is headed by its Chief Information Officer and Cybersecurity Architect . Collectively, they possess a diverse portfolio of highly regarded cybersecurity certifications, including certifications with a focus on risk management, and are able to leverage their extensive cybersecurity experience to effectively manage risk. The Company's information technology ("IT") team is led by the Company's Chief Information Officer, and employs dedicated security staff who hold well-established cybersecurity certifications. The Company's IT team meets on a recurring basis, and at least quarterly, with senior members of the Information Technology, Compliance, and Internal Audit departments to assess cybersecurity risks. Additionally, our employees and certain consultants are required to complete cybersecurity training during onboarding and on an annual basis to reinforce awareness of cybersecurity threats and risks to the organization. In addition to internal resources, the Company engages third parties to help test and evaluate the effectiveness and resiliency of the Company's IT environment, including annual penetration testing, weekly vulnerability scanning, periodic security audits of cloud environments and quarterly phishing simulations. These engagements provide recommendations to strengthen the program, and provide updates on leading cybersecurity protections and practices. The Company assesses cybersecurity risk through a process based on the cybersecurity framework established by the U.S. National Institute of Standards and Technology (NIST). Each year, the Company's IT team conducts a series of sessions to discuss and evaluate risks and ranks the potential severity and likelihood of each identified risk, as well as the current and planned controls to mitigate such risks informed by the NIST Risk Management Framework. Based upon this analysis, a formal cybersecurity risk register is maintained to identify, track and treat cybersecurity risk, and project plans are developed to prioritize and allocate resources effectively, which are then discussed with key members of management, including the Company's Chief Executive Officer, and approved by the Company's Data Protection Team ("DPT"). The DPT consists of the Company's Chief Information Officer, Chief Financial Officer, Chief Operating Officer, Chief Compliance Officer, Head of Internal Audit and Chief Legal Officer. Among the risks assessed is the risk of a cybersecurity incident at a third-party service provider. To evaluate and manage this risk, the cybersecurity team conducts due diligence in connection with onboarding new vendors and performs annual due diligence with our key third-party vendors. Our due diligence process includes inquiries regarding risk management, human resources security, physical and environmental security, compliance, business continuity and contractual obligations. We also seek to collect cybersecurity audit reports and other supporting documentation for review. In addition, we have processes in place to evaluate the potential impact to our IT networks and systems when we learn of a significant cybersecurity event, including contacting our key vendors to determine if they were impacted and if Company data was compromised. The Company also evaluates cybersecurity risks associated with emerging technologies, including the use of artificial intelligence tools and implements policies and controls to mitigate associated risks. The Company deploys a range of technical safeguards designed to protect its information systems from cybersecurity threats. These safeguards include layered network and endpoint protections such as firewalls, intrusion detection and prevention mechanisms and advanced endpoint security technologies. The Company also maintains identity and access controls based on identity-centric, least-privilege access controls and continuous verification principles, utilizing centralized security monitoring and alerting capabilities to identify and respond to anomalous activity. Additional controls include multi-factor authentication, privileged access management, mobile device management with encryption and compliance enforcement and data loss prevention capabilities to protect sensitive information. The Company maintains continuous vulnerability management and patch management processes designed to remediate identified vulnerabilities in a timely manner and enforces device compliance as a condition of access to corporate resources. In addition to the foregoing, the Company's Internal Audit team assesses the design and test the effectiveness of cyber controls, and annually, as part of its internal controls testing, performs a review of service auditor reports for in-scope application vendors. Board Oversight The Company's board of directors ("Board") is responsible for overseeing and monitoring our risk management processes, including cybersecurity-related risks. The Board is assisted in its oversight responsibilities by the standing Board committees, and the audit committee of the Board (" Audit Committee ") is responsible for overseeing our cybersecurity risks. Our Chief Information Officer provides cybersecurity updates and reviews the Company's cybersecurity risks and protection measures with either the Audit Committee or the full Board on at least a semi-annual basis. Topics covered in such meetings have included (i) results of quarterly phishing simulation tests, (ii) results from cybersecurity audits and penetration testing, (iii) review and enhancements to policies (including the Incident Response and Business Continuity policies) and (iv) any recent, significant cybersecurity incidents. The Board and Audit Committee also engage in regular discussions regarding cybersecurity risk management with the Company's senior management, internal auditors and independent auditors. Cybersecurity Incident Response Plan The DPT plays a critical role in the Incident Response Plan ("IRP") adopted by the Company. The IRP sets forth the processes for containment, review, escalation, recovery from and remediation of any cybersecurity incidents identified by the Company. The Company also has an external incident response specialist who supports ongoing enhancements to our incident response planning, including annual tabletop exercises, which include cross-functional participation from IT, Legal, Compliance, Finance, Investor Relations, Human Resources, and Internal Audit. Under the IRP, high severity cybersecurity incidents are promptly reviewed by the Incident Response Team ("IRT"), which is a committee of members of the Company's IT team, including the Company's Chief Information Officer. Incident severity levels guide the escalation process, including notifications to senior leadership, the DPT and the Audit Committee. When the IRT determines a cybersecurity incident is significant, it is escalated to the DPT, who is responsible for overseeing the investigation of and response to such cybersecurity incidents, including ensuring that the Company's senior leadership and Audit Committee are informed and that notification and regulatory filings are made in a timely manner.

Company Information