technology disaster recovery and incident response plan testing, which collectively support the goal of mitigating risk were an
emergency to occur. These efforts are underpinned by the implementation of security best practices, where possible, such as:
•Multi-factor authentication for remote access, privileged access management for system administrators,
application whitelisting, laptop encryption, and advanced malware defenses on endpoints;
•Incident preparedness and response planning and risk mitigation;
•Independent and continuous security testing, assessment, and vulnerability management;
•Regular security awareness training, including phishing simulations, for Carlyle authorized users;
•Restrictions on access to personal email accounts, cloud storage, social media, risk-based categories of
websites, and USB storage devices;
•Device and system access management policies and procedures that restrict access upon employee or
contractor separation from the company; and
•Compliance attestations by Carlyle personnel on firm policies, such as our acceptable use policy, upon hire
and annually.
In addition, we partner with third parties to assess the effectiveness of our cybersecurity program, including audits and
assessments performed under the direction of Carlyle’s Internal Audit team, which co-sources with third-party cybersecurity
experts in conducting its reviews. GTS also administers the firm’s cyber third-party risk management program, which assesses
external service providers before onboarding and provides ongoing monitoring in accordance with certain risk-based
cybersecurity criteria.
To our knowledge, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not
materially affected us, including our business strategy, results of operations, or financial condition. The sophistication of cyber
threats continues to increase and there can be no assurance that the various procedures and controls we utilize to mitigate these
threats will be sufficient to prevent disruptions to our systems. Consequently, given that the magnitude of cybersecurity
incidents or threats are difficult to predict, we are unable to determine at this time whether risks from cybersecurity threats are
reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For an
additional description of cybersecurity risk and potential related impacts on us, see Part I, Item 1A “Risk Factors—Risks
Related to Our Company—Operational risks (including those associated with our business model), system security risks,
breaches of data protection, cyberattacks, or actions or failure to act by our employees or others with authorized access to our
networks, including our ability to insure against such risks, may disrupt our businesses, result in losses, or limit our growth.”
Governance
Our Board of Directors oversees our enterprise risk management strategy, including our strategy on cybersecurity
risks, directly and through its committees. In this respect, the Audit Committee of the Board of Directors (the “Audit
Committee”) oversees our risk management program, which focuses on the most significant risks we face in the short-,
intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the
year, including, among others, those relating to cybersecurity, and reports from the Chief Audit Executive on our enterprise risk
profile on an annual basis. In addition, our Chief Information Security Officer (“CISO”) leads our cybersecurity program, chairs
our Information Security Steering Committee (“ISSC”), and provides cybersecurity status reporting to our Audit Committee at
least annually. The ISSC meets quarterly and ensures that cybersecurity initiatives are in alignment with Carlyle’s strategic
priorities.
We take a risk-based approach to cybersecurity and have implemented cybersecurity policies, standards, processes,
and practices throughout our operations that are designed to address cybersecurity threats, events, and incidents. In particular,
our cybersecurity program supports security governance, security awareness and training, security engineering and architecture,
security risk management, vulnerability management, security monitoring, and incident response capabilities. In addition, our
incident response plan contains escalation and reporting protocols, including reporting to the firm’s Disclosure Committee to
consider materiality of cybersecurity incidents. Policies and procedures are in place to assist the firm’s Disclosure Committee
with these materiality assessments and any resulting reporting requirements.
Our CISO, in coordination with our Chief Financial Officer, Chief Compliance Officer, Chief Information Officer,
Chief Risk Officer, and Chief Audit Executive, among certain other senior executives, is responsible for leading the assessment