Ares Management Corp - (ARES)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity
Assessment, Identification and Management of Material Risks from Cybersecurity
Our cybersecurity strategy prioritizes the detection and analysis of, and response to, known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Our enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We have implemented and continue to implement risk-based controls designed to prevent, detect and respond to information security threats and protect our information, our information systems, and the information of our investors, employees and other third parties who entrust us with their sensitive information.
Our cybersecurity program includes physical, administrative and technical safeguards, and we maintain plans and procedures designed to help us prevent and timely and effectively respond to cybersecurity threats and incidents. Through our cybersecurity risk management process, we seek to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks is integrated into our Enterprise Risk Management program, which is overseen by our Enterprise Risk Committee (the “ERC”), as discussed below. In addition, we periodically engage third-party consultants and engage with key vendors to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to incidents.
Our cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training. We also have annual certification requirements for employees with respect to certain policies supporting the cybersecurity program including information security and electronic communications, data protection and privacy. We undertake periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of our critical third-party service providers and other partners. We also complete periodic external reviews of our cybersecurity program and practices, which include assessments of our data protection practices and targeted attack simulations.
In the event of a cybersecurity incident, we have developed an incident response plan that provides guidelines for responding to an incident and facilitates coordination across multiple operational functions. The incident response plan includes notification to the applicable members of cybersecurity leadership, including the Chief Information Security Officer (“CISO”), and, as appropriate, escalation to the full ERC and/or an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to our audit committee of the board of directors and to our full board of directors, if appropriate.
Material Impact of Cybersecurity Risks
In the last three fiscal years, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors—General Risk Factors—Cybersecurity failures and data security incidents could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results.”
100
Oversight of Cybersecurity Risks
Our cybersecurity program is managed by a dedicated internal cybersecurity team, which is responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The team is led by our CISO who has a Master’s degree in Cybersecurity from Brown University and over 25 years of experience advising on, and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures. The CISO is also a member of the ERC. The ERC is a cross-functional committee that governs and oversees our Enterprise Risk Program, including cybersecurity. The ERC includes our Chief Executive Officer, Chief Financial Officer, General Counsel, Global Chief Compliance Officer, Chief Information Officer, CISO, and Head of Enterprise Risk, who acts as chairperson of the ERC. The ERC, through regular consultation with the internal cybersecurity team, assesses, discusses, and prioritizes our approach to high-level risks, mitigating controls, and ongoing cybersecurity efforts.
The audit committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. Certain members of the ERC periodically report to our audit committee as well as the full board of directors, as appropriate, on cybersecurity matters, primarily through presentations by the CISO and the Head of Enterprise Risk. Such reporting includes updates on our cybersecurity program, the external threat environment, and our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on our preparedness, prevention, detection, responsiveness, and recovery with respect to cyber incidents.