Page last updated on March 5, 2026
Ares Core Infrastructure Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-05 17:11:42 EST.
Filings
10-K filed on 2026-03-05
Ares Core Infrastructure Fund filed a 10-K at 2026-03-05 17:11:42 EST
Accession Number: 0002031750-26-000015
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity" for additional information regarding our cybersecurity risk management program. Technological developments in artificial intelligence could disrupt the markets in which we operate and subject us to increased competition, legal and regulatory risks and compliance costs. Artificial intelligence, including machine learning technology and generative artificial intelligence, is rapidly evolving. While the full extent of current or future risks related thereto is not possible to predict, artificial intelligence could significantly disrupt the business models and markets in which we operate and subject us to increased competition, legal and regulatory risks and compliance costs, any of which could have a material adverse effect on our business or our portfolio companies' financial condition and results of operations. We, our Adviser and our Administrator use and plan to expand our use of artificial intelligence tools and technologies in the operation of our business. These uses come with potential risks, including, but not limited to, generation of inaccurate results, misuse or disclosures of confidential information, infringement of third party intellectual property rights, potential cybersecurity vulnerabilities, reputational risk and regulatory burdens. In addition, artificial intelligence models may create outputs that are flawed, inaccurate, biased, or that infringe or misappropriate intellectual property of third parties. The models may also be subject to new or different modes of cyber-attacks, including prompt injection attacks, and such attacks may be able to circumvent cybersecurity tools and processes that we or the providers of such tools have in place. To the extent we, our Adviser, our Administrator, or any of our portfolio companies rely on such technologies, these risks could negatively impact us or our portfolio companies. There is also a risk that artificial intelligence tools or applications may be misused by employees and/or third parties engaged by us, our Adviser or Administrator, or by our portfolio companies. For example, an employee of our Adviser may input confidential information, including material non-public information, trade secrets, or personal information, into artificial intelligence technologies in a manner that results in such information becoming part of a dataset that is accessible by third-party artificial intelligence applications and users, including our competitors. Further, we, our Adviser or Administrator or our portfolio companies may not be able to control how any third-party artificial intelligence technologies that we or they choose to use are developed or maintained, or how data we input is used or disclosed, even where we have contractual protections with respect to these matters. The misuse or misappropriation of our data could have an adverse impact on our reputation and could subject us to legal and regulatory investigations and/or actions. The misuse or misappropriation of data of any of our portfolio companies could have an adverse impact on such businesses reputation and could subject such portfolio company to legal and regulatory investigations and/or actions. We or our portfolio companies may also be exposed to competitive risks related to the adoption of artificial intelligence or other new technologies by others within our respective industries. If our or our portfolio companies' competitors are more successful than us or our portfolio companies in the use of artificial intelligence or development of services or products based on artificial intelligence, or we or our portfolio companies adopt artificial intelligence at a slower pace than others, we or our portfolio companies may be at a competitive disadvantage. In addition, our or our portfolio companies' investments in technology systems and artificial intelligence may not deliver the benefits we or they expect, which could be costly for our or their respective businesses. Finally, governments and regulators in the U.S. and abroad have proposed, adopted or are considering laws, regulations and guidance governing the development, deployment and use of artificial intelligence systems, including requirements relating to transparency, accountability, data governance, risk management, human oversight, cybersecurity, intellectual property and recordkeeping. For example, the European Union has adopted the EU Artificial Intelligence Act, which applies on a phased basis that began in 2025 and a number of U.S. states have enacted general artificial intelligence laws. These and other developments could increase our compliance costs, restrict our use of artificial intelligence in our business and investment processes, require changes to our policies, procedures, controls and vendor arrangements, and expose us to investigations, enforcement actions, litigation, fines, penalties or reputational harm. We are subject to numerous privacy laws, and violation of such laws may subject us to significant fines or penalties, litigation, or reputational damage, and new privacy laws could impact our business and financial performance. Many jurisdictions in which we operate have laws and regulations relating to data protection, privacy, cybersecurity and information security to which we may be subject, including, the California Consumer Privacy Act (the "CCPA"), the New York SHIELD Act, the General Data Protection Regulation ("GDPR") and the U.K. GDPR (collectively, "Privacy Laws"). These Privacy Laws and related regulations continue to evolve and may conflict with one another, resulting in compliance challenges. Moreover, to the extent that these laws and regulations or the enforcement of the same become more stringent, or if new laws or regulations are enacted, our financial performance or plans for growth may be adversely impacted. In addition, compliance with applicable Privacy Laws may require adhering to stringent legal and operational requirements, which could increase compliance costs for us and our Adviser and require the dedication of additional time and resources to compliance by us, our Adviser or Ares. A failure to comply with applicable Privacy Laws could result in fines, sanctions, enforcement actions or other penalties or reputational damage. Further, significant actual or potential theft, loss, corruption, exposure, fraudulent use or misuse of investor, employee or other personal information, proprietary business data or other sensitive information, whether by third parties or as a result of employee malfeasance or otherwise, non-compliance with our, our Adviser's or Ares' contractual or other legal obligations regarding such data or intellectual property or a violation of Ares' privacy and security policies with respect to such data could result in significant investigation, remediation and other costs, fines, penalties, litigation or regulatory actions against us and significant reputational harm, any of which could harm our business and results of operations. In May 2024, the SEC adopted cybersecurity regulations as an amendment to Regulation S-P designed to establish a federal "minimum standard" for covered institutions to adopt an incident response program to govern their response to any unauthorized access of customer information. The adopted rule requires compliance as of December 2025 and applies to us as it includes broker-dealers, investment companies and registered investment advisers. The amendments require implementation of written policies and procedures to safeguard customer records and information by imposing notification requirements to affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization and other requirements, such as review of incident response programs and having policies and procedures regarding compliance by third-party service providers. There may be substantial financial penalties or fines for breach of Privacy Laws (which may include insufficient security for personal or other sensitive information). For example, the maximum penalty for breach of the GDPR is the greater of 20 million Euros and 4% of group annual worldwide turnover, and fines for each violation of the CCPA are $2,500 per violation, or $7,500 per violation for intentional violations. Non-compliance with any applicable privacy or data security laws represents a serious risk to our business, and compliance may be complicated by conflicting or inconsistent laws and regulations. Ineffective internal controls could impact our business and operating results. Our internal control over financial reporting may not prevent or detect misstatements because of its inherent limitations, including the possibility of human error, the circumvention or overriding of controls, or fraud. Even effective internal controls can provide only reasonable assurance with respect to the preparation and fair presentation of financial statements. If we fail to maintain the adequacy of our internal controls, including any failure to implement required new or improved controls, or if we experience difficulties in their implementation, our business and operating results could be harmed and we could fail to meet our financial reporting obligations. Item 1B. Unresolved Staff Comments Not applicable. Item 1C. Cybersecurity Assessment, Identification and Management of Material Risks from Cybersecurity Threats We rely on the cybersecurity strategy and policies implemented by Ares Management, the parent of both our Adviser and our Administrator. Ares Management's cybersecurity strategy prioritizes the detection and analysis of, and response to, known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Ares Management's enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. Ares Management's cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Ares Management has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information. Ares Management's cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help Ares prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us, our Adviser or our Administrator. Ares Management's cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity threats, including those which may impact us, our Adviser or our Administrator, is integrated into Ares Management's Enterprise Risk Management program, which is overseen by the Ares Enterprise Risk Committee (the "Ares Management ERC"), as discussed below. In addition, Ares Management periodically engages with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents. The Ares Management cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of our Adviser and our Administrator. Ares Management also has annual certification requirements for employees, including employees who provide services to us pursuant to the Investment Advisory Agreement and the Administration Agreement with respect to certain policies supporting the cybersecurity program including information security and electronic communications, data protection and privacy. Ares Management undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of Ares Management's and our critical third-party service providers and other partners. Ares Management also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations. In the event of a cybersecurity incident impacting us, our Adviser, or our Administrator, Ares Management has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational functions of Ares Management, including coordinating with the relevant employees of our Adviser and our Administrator. The incident response plan includes notification to the applicable members of cybersecurity leadership, including Ares Management's Chief Information Security Officer ("CISO"), and, as appropriate, escalation to the full Ares Management ERC and/or an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to the audit committee or full board of directors of Ares Management, as well as to the Audit Committee and to our full Board, if appropriate. Material Impact of Risks from Cybersecurity Threats We have not experienced an information security breach incident that has materially affected our business strategy, results of operations or financial condition. The expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see "Item 1A. Risk Factors-General Risk Factors-Security incidents or cyber-attacks, affecting us or our third-party service providers, could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results." Oversight of Cybersecurity Risks Our cybersecurity program is managed by Ares Management's dedicated internal cybersecurity team which is responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. T he team is led by Ares Management's CISO who has a Master's degree in Cybersecurity from Brown University and over 25 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures. The Ares Management CISO reports cybersecurity updates to the Ares Management ERC. The Ares Management ERC is a cross-functional committee that governs and oversees the Ares Management Enterprise Risk Program, including cybersecurity. The Ares Management ERC includes Ares Management's Chief Executive Officer, Co-Presidents, Chief Financial Officer, General Counsel, Chief Information Officer, Chief Compliance Officer and Head of Enterprise Risk , who acts as chairperson of the Ares Management ERC. The Ares Management ERC, through regular consultation with the Ares Management internal cybersecurity team and employees of our Adviser and Administrator, assesses, discusses, and prioritizes Ares Management's approach to high-level risks, mitigating controls and ongoing cybersecurity efforts. The Audit Committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. Periodically, reports are provided to our Audit Committee as well as our full Board, as appropriate, on cybersecurity matters, primarily through presentations by the CISO and the Ares Management Head of Enterprise Risk. Such reporting includes updates on Ares Management's cybersecurity program as it impacts us, the external threat environment, and Ares Management's programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Ares Management's preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.
Item 1C. Cybersecurity Assessment, Identification and Management of Material Risks from Cybersecurity Threats We rely on the cybersecurity strategy and policies implemented by Ares Management, the parent of both our Adviser and our Administrator. Ares Management's cybersecurity strategy prioritizes the detection and analysis of, and response to, known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Ares Management's enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. Ares Management's cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Ares Management has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information. Ares Management's cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help Ares prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us, our Adviser or our Administrator. Ares Management's cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity threats, including those which may impact us, our Adviser or our Administrator, is integrated into Ares Management's Enterprise Risk Management program, which is overseen by the Ares Enterprise Risk Committee (the "Ares Management ERC"), as discussed below. In addition, Ares Management periodically engages with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents. The Ares Management cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of our Adviser and our Administrator. Ares Management also has annual certification requirements for employees, including employees who provide services to us pursuant to the Investment Advisory Agreement and the Administration Agreement with respect to certain policies supporting the cybersecurity program including information security and electronic communications, data protection and privacy. Ares Management undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of Ares Management's and our critical third-party service providers and other partners. Ares Management also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations. In the event of a cybersecurity incident impacting us, our Adviser, or our Administrator, Ares Management has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational functions of Ares Management, including coordinating with the relevant employees of our Adviser and our Administrator. The incident response plan includes notification to the applicable members of cybersecurity leadership, including Ares Management's Chief Information Security Officer ("CISO"), and, as appropriate, escalation to the full Ares Management ERC and/or an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to the audit committee or full board of directors of Ares Management, as well as to the Audit Committee and to our full Board, if appropriate. Material Impact of Risks from Cybersecurity Threats We have not experienced an information security breach incident that has materially affected our business strategy, results of operations or financial condition. The expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see "Item 1A. Risk Factors-General Risk Factors-Security incidents or cyber-attacks, affecting us or our third-party service providers, could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results." Oversight of Cybersecurity Risks Our cybersecurity program is managed by Ares Management's dedicated internal cybersecurity team which is responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. T he team is led by Ares Management's CISO who has a Master's degree in Cybersecurity from Brown University and over 25 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures. The Ares Management CISO reports cybersecurity updates to the Ares Management ERC. The Ares Management ERC is a cross-functional committee that governs and oversees the Ares Management Enterprise Risk Program, including cybersecurity. The Ares Management ERC includes Ares Management's Chief Executive Officer, Co-Presidents, Chief Financial Officer, General Counsel, Chief Information Officer, Chief Compliance Officer and Head of Enterprise Risk , who acts as chairperson of the Ares Management ERC. The Ares Management ERC, through regular consultation with the Ares Management internal cybersecurity team and employees of our Adviser and Administrator, assesses, discusses, and prioritizes Ares Management's approach to high-level risks, mitigating controls and ongoing cybersecurity efforts. The Audit Committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. Periodically, reports are provided to our Audit Committee as well as our full Board, as appropriate, on cybersecurity matters, primarily through presentations by the CISO and the Ares Management Head of Enterprise Risk. Such reporting includes updates on Ares Management's cybersecurity program as it impacts us, the external threat environment, and Ares Management's programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Ares Management's preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.
Company Information
| Name | Ares Core Infrastructure Fund |
| CIK | 0002031750 |
| SIC Description | |
| Ticker | |
| Website | |
| Category | Emerging growth company |
| Fiscal Year End | December 31 |