TPG Inc. - (TPG)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include responses to and assessments of internal and external threats to the security, confidentiality, integrity and availability of the Company’s data and systems along with other material risks to firm operations, at least annually or whenever there are material changes to our systems or operations. As part of our risk management process, we engage outside providers to conduct periodic internal and external penetration testing. We use NIST Cybersecurity Framework and CIS Critical Security Controls as a guide to help us identify, assess, and manage cybersecurity relevant to our business. This does not imply that we meet any particular technical standards, specifications, or requirements. We store firm data in cloud environments with security appropriate to the data involved and have adopted controls around, among other things, vendor risk assessment, access and acceptable use and backup and recovery.
We have processes to oversee and identify material risks associated with the use of third-party service providers, taking into account the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider.
Governance
We have established an Enterprise Risk Committee (“ERC”) to manage overall risk across the Company including cybersecurity risks identified by the cybersecurity team; the ERC includes representatives from relevant functions and is led by our Chief Executive Officer (“CEO”). We have also established an Operational Risk Committee (“ORC”) which is responsible for applying the policy decisions of the ERC. Operational responsibility for ensuring the adequacy and effectiveness of our risk management, control and governance processes is assigned to our Chief Information Security
89
Officer, who periodically reports, among other things, potentially material cybersecurity incidents to the ORC and, in coordination with the Chief Information Officer and Head of Operations, reports to the ERC at least annually. The Chief Information Security Officer leads the Company’s cybersecurity team, which includes individuals dedicated to incident detection and response. This team is responsible for identifying threats that can impact the Company and designing controls to mitigate vulnerabilities before they are exploited and to detect and neutralize any threats that do materialize. The Chief Information Security Officer and Chief Information Officer each have more than 20 years of experience in their fields. The Chief Information Security Officer and senior members of the cybersecurity team hold industry standard certifications.
Our Audit Committee is briefed on cybersecurity risks at least once each year and as needed in connection with any potentially material cybersecurity incidents. The Chief Information Security Officer reports at least annually, to our Audit Committee and such report may address overall assessment of the Company’s compliance with this and other cybersecurity policies, including topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures.
As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.