Brookfield Asset Management Ltd. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Brookfield Asset Management Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 12:31:17 EST.

Filings

10-K filed on 2026-03-02

Brookfield Asset Management Ltd. filed a 10-K at 2026-03-02 12:31:17 EST
Accession Number: 0001628280-26-013098

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Governance Cybersecurity at our company is overseen by our Board, the Audit Committee and management, and such oversight is also carried out through our Enterprise Information Security Policy ("EISP"). The Audit Committee of our Board is responsible for overseeing risk management strategies that are specific to our company, including reviewing management's assessment of the current and emerging risks and related mitigation strategies across financial and non-financial risks, including cybersecurity risks. Regular reports and updates on cybersecurity risks are made to senior management of BAM. Pursuant to the EISP, executive management has appointed a Chief Information Security Officer ("CISO"), who works closely with senior management, legal counsel and external counsel to develop and monitor our data protection, privacy and cybersecurity program and policies. The CISO provides periodic reports to the Audit Committee, which subsequently reports to the Board about data protection and cybersecurity risks and issues. The CISO has over 20 years' experience in cybersecurity oversight, holds a Bachelor's Degree in Computer Science and Economics from York University and holds a number of information security certifications, including: CISSP, CISM and CISA. Cybersecurity Risk Management and Strategy We have a cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats. This includes compliance with the EISP. Our cybersecurity program performance and effectiveness are also frequently assessed and audited internally and by third parties . We believe our cybersecurity program is reasonably designed to materially protect the integrity and availability of our information and technology. This program addresses information security governance, employee security and data privacy awareness and training, relevant access and end-point security, vulnerability management, penetration testing, security monitoring and incident response, and recovery from operational disruption. We use technologies to optimize our security risk detection and response capabilities, in addition to access controls and anti-malware protections. Data protection technology is deployed and monitored. We believe our practices align with the NIST Cybersecurity Framework in meeting and exceeding the industry average in cybersecurity practice. When we engage third parties, we have policies and processes to assess and govern their access and services, and manage the related risks affecting Brookfield's information and technology. For example, all third-party access must be authorized and have a legitimate business need. Prior to authorization and granting access, the terms and conditions of such access must be agreed to as part of a formal agreement or contract. In addition, all authorized third-party access must be limited, monitored and controlled as appropriate. In addition, all employees regularly undergo mandatory continuing cybersecurity training. Employees in higher-risk functions receive additional training and cybersecurity awareness education. Audits, cybersecurity simulations and employee testing results indicate that our program is effective in protecting our information. The effectiveness of these programs is evaluated regularly through both internal and third-party audits. In 2025, we undertook the following initiatives: completed a complex network transition to Secure Access Service Edge (SASE) network technology with enhanced zero-trust based security implemented globally; further enhanced our vulnerability management and attack surface reduction capabilities; continued improving our data protection by implementing ransomware protected backup technology; continued mandatory cybersecurity education and increasingly difficult phishing simulations for all employees. Our systems face cybersecurity risks, and we have in the past experienced threats to our data and systems. However, to date, these incidents have not had a material impact on our business strategy, results of operations, or financial condition. We can provide no assurance that we will not experience any material cybersecurity threats or incidents in the future. See "Part I-Item 1A. Risk Factors-Failure to maintain the security of our information and technology systems could have a material adverse effect on us".

Company Information