Apollo Global Management, Inc. - (APO)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY

AGM’s board of directors is involved in overseeing the Company’s risk management program, including with respect to cybersecurity, which is a critical component of the Company’s overall approach to enterprise risk management (“ERM”). For additional information about our risk management framework, see “Part II—Item 7A. Quantitative and Qualitative Disclosures
59

About Market Risk—Risk Management Framework.” Our cybersecurity policies and practices are fully integrated into our ERM framework through our reporting, risk management and oversight channels and are based, in part, on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.

As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas:

Governance. As discussed further under the heading “Cybersecurity Governance”, our board of directors has an oversight role, as a whole and also at the committee level, in overseeing management of AGM’s risks, including our cybersecurity risks. AGM’s Chief Information Security Officer (“CISO”) and AHL’s CISO, with support from the broader Technology team, are responsible for information security strategy, policies and practices.
Collaborative Approach. The Company utilizes a cross-functional approach involving stakeholders across multiple departments, including Compliance, Legal, Technology, Operations, Risk and others, aimed at identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of potentially material cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards. The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved on an ongoing basis using vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning. The Company has established and maintains incident response and recovery plans that address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management. The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness. The Company provides regular, mandatory training for personnel regarding cybersecurity threats to equip the Company’s personnel with effective tools to help mitigate cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices.

The Company engages in the periodic assessment and testing of the Company’s policies and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The Company regularly engages third parties, including auditors and consultants, to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Company’s risk management function, and the Company adjusts its cybersecurity policies and practices as necessary based on the information provided by these assessments, audits and reviews.

Cybersecurity threat risks have not materially affected the Company, including our business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect the Company, see “Item 1A. Risk Factors—Operating Risks—We rely on technology and information systems, many of which are controlled by third-party vendors, to maintain the security of our information and technology networks and to conduct our businesses, and any failures or interruptions of these systems could adversely affect our businesses and results of operations.”

Cybersecurity Governance

In our asset management business, our board of directors’ oversight of cybersecurity risk management is supported by the audit committee of the AGM Board of Directors (the “AGM Audit Committee”), the AAM Global Risk Committee (“AGRC”), the Operational Risk Forum (the “ORF”), the Cybersecurity Working Group and management. Our board of directors, the AGM Audit Committee, the AGRC, the ORF and the Cyber Security Working Group receive regular updates on Apollo’s information technology, cybersecurity risk profile and strategy, and risk mitigation plans from the Company’s risk management professionals, the Company’s Chief Security Officer (“CSO”), CISO, other members of management and relevant management committees and working groups. The Cyber Security Working Group is chaired by the CISO and has representation from
60

Technology, Legal, Compliance, and ERM. The group meets at least once a quarter to discuss cybersecurity and risk mitigation activities, among other topics. The CISO regularly reports to the ORF regarding cyber risk, and the ORF in turn reports to the AGRC on a quarterly basis, noting any cyber updates when necessary or appropriate. In turn, the Board and/or the AGM Audit Committee receive quarterly risk updates from our risk management professionals, as well as at least annual updates on cyber risk specifically. The full AGM board or the AGM Audit Committee receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, as well as from AHL’s CISO, at least annually, and they address a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.

In our retirement services business, our board of directors’ oversight of cybersecurity risk management is supported by the AHL board of directors, the AHL board’s audit, risk, and legal and regulatory committees, the AHL management risk committee, the AHL management operational risk committee and AHL management. AHL’s Chief Information Officer (“CIO”), CISO, General Counsel and certain other members of AHL’s senior management meet periodically with the audit, risk, and legal and regulatory committees of AHL’s board of directors to review AHL’s information technology and cybersecurity risk profile and to discuss risk mitigation plans.

Apollo and Athene Cyber teams coordinate with and leverage one another across a number of areas. The CISOs meet regularly to discuss cyber-related risks, programs and projects. Other members of Apollo and Athene’s Cyber teams meet as needed on a variety of topics and open lines of communications are present to allow for the information sharing across the retirement services and asset management businesses.

Asset Management

The AGM CISO, in coordination with Technology and ERM, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the AGM Audit Committee or AGM board, as appropriate.

AGM’s CSO holds an undergraduate degree in Management Information Systems and Business Administration, which he received magna cum laude. He has over 25 years of cyber-related experience, having served in various roles in technology and cybersecurity, including as Head of IT Risk Management, Executive Director of IT & Risk Compliance, and Global IT Risk Evaluation Lead at large financial institutions and consulting firms. He was also previously AGM’s CISO for nearly eight years. AGM’s CISO holds a master’s degree in Business Information Systems and has served in various roles in information technology and information security for over 25 years across a number of large financial institutions, including as Director, Cybersecurity and Risk.

Retirement Services

AHL’s information security program is managed by its CISO with collaboration across lines of businesses and corporate functions. AHL’s CISO is a senior-level executive responsible for establishing and executing AHL’s information security strategy, including cybersecurity oversight. AHL’s information security program implements a detailed cyber incident response plan that provides controls and procedures for handling cyber incidents and incorporates a cross-functional approach to addressing cyber risk, with engagement among internal working groups. AHL’s CIO and CISO are members of AHL’s management operational risk committee, which reports to AHL’s management risk committee, which reports to AHL’s board risk committee.

AHL’s CIO has over 30 years of insurance and financial services operations and technology experience, having held numerous operations and technology leadership positions, including as the Global Business Information Officer of Consumer Businesses and Chief Information Officer of Life and Retirement at large insurance companies. He holds an undergraduate degree in Business Management and a master’s degree in Management Information Systems. AHL’s CISO is responsible for managing Athene’s information security program. He has over 15 years of information security experience and is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Certified Information Systems Manager, and Check Point Certified Engineer. He holds an undergraduate degree in Statistical Science and a master’s degree in business.

61