Apollo Commercial Real Estate Finance, Inc. - (ARI)
10-K Filing Date: February 06, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
As an externally managed REIT, our risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of the Manager, an indirect subsidiary of Apollo. Apollo determines and implements appropriate risk management processes and strategies as it relates to cybersecurity for us and other entities managed by Apollo, and we rely on Apollo for assessing, identifying and managing material risks to our business from cybersecurity threats.
The Apollo Global Management, Inc. (“AGM”) board of directors is involved in overseeing Apollo’s risk management program, including with respect to cybersecurity, which is a critical component of Apollo’s overall approach to enterprise risk management (“ERM”). Apollo’s cybersecurity policies and practices are fully integrated into its ERM framework through its reporting, risk management and oversight channels and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.
As one of the critical elements of Apollo’s overall ERM approach, Apollo’s cybersecurity program is focused on the following key areas:
•Governance. As discussed further under the heading “Cybersecurity Governance,” the AGM board of directors has an oversight role, as a whole and also at the committee level, in overseeing management of Apollo’s risks, including its cybersecurity risks. Apollo’s Chief Information Security Officer (“CISO”) and the CISO of Athene Holding Ltd., a subsidiary of AGM, with support from the broader Apollo Technology team, are responsible for information security strategy, policies and practices, as well as, as appropriate, with our executive officers and other representatives of the Manager and its affiliates.
•Collaborative Approach. Apollo utilizes a cross-functional approach involving stakeholders across multiple departments, including Apollo Compliance, Legal, Technology, Operations, Risk and others, aimed at identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of potentially material cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, in consultation with our management and our
31
board of directors, as applicable, in a timely manner.
•Technical Safeguards. Apollo deploys technical safeguards that are designed to protect its information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved on an ongoing basis using vulnerability assessments and cybersecurity threat intelligence.
•Incident Response and Recovery Planning. Apollo has established and maintains incident response and recovery plans that address its response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
•Third-Party Risk Management. Apollo maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems, as well as the systems of third parties that could adversely impact its business and the business of its externally managed entities such as our company, in the event of a cybersecurity incident affecting those third-party systems.
•Education and Awareness. Apollo provides regular, mandatory training for personnel regarding cybersecurity threats to equip its personnel with effective tools to help mitigate cybersecurity threats, and to communicate its evolving information security policies, standards, processes and practices.
Apollo engages in the periodic assessment and testing of its policies and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of its cybersecurity measures. Apollo regularly engages third parties, including auditors and consultants, to perform assessments on its cybersecurity measures, including information security maturity assessments, audits and independent reviews of its information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to Apollo’s risk management function, and Apollo adjusts its cybersecurity policies and practices as necessary based on the information provided by these assessments, audits and reviews.
Cybersecurity threat risks have not materially affected our company, including our business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see “Item 1A. Risk Factors—Risks Related to Our Business and Structure—Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, a misappropriation of funds, and/or damage to our business relationships, all of which could negatively impact our financial results.”
Cybersecurity Governance
The AGM board of directors’ oversight of cybersecurity risk management is supported by the audit committee of the AGM board of directors (the “AGM audit committee”), the AAM Global Risk Committee (“AGRC”), the Operational Risk Forum (the “ORF”), the Cybersecurity Working Group and management. The AGM board of directors, the AGM audit committee, the AGRC, the ORF and the Cyber Security Working Group receive regular updates on Apollo’s information technology, cybersecurity risk profile and strategy, and risk mitigation plans from Apollo’s risk management professionals, the AGM's Chief Security Officer (“CSO”), CISO, other members of management and relevant management committees and working groups. The Cyber Security Working Group is chaired by the CISO and has representation from Apollo’s Technology, Legal, Compliance, and ERM teams. The group meets at least once a quarter to discuss cybersecurity and risk mitigation activities, among other topics. The CISO regularly reports to the ORF regarding cyber risk, and the ORF in turn reports to the AGRC on a quarterly basis, noting any cyber updates when necessary or appropriate. In turn, AGM’s board of directors and/or the AGM audit committee receive quarterly risk updates from risk management professionals, as well as at least annual updates on cyber risk specifically. The full AGM board of directors or the AGM audit committee receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, as well as from AHL’s CISO, at least annually.
AGM’s CSO holds an undergraduate degree in Management Information Systems and Business Administration, which he received magna cum laude. He has over 25 years of cyber-related experience, having served in various roles in technology and cybersecurity, including as Head of IT Risk Management, Executive Director of IT & Risk Compliance, and Global IT Risk Evaluation Lead at large financial institutions and consulting firms. He was also previously AGM’s CISO for nearly eight years. AGM’s CISO holds a master’s degree in Business Information Systems and has served in various roles in information technology and information security for over 25 years across a number of large financial institutions, including as Director, Cybersecurity and Risk.
The AGM CISO, in coordination with the Apollo Technology and ERM teams, works collaboratively across Apollo to implement a program designed to protect its information systems from cybersecurity threats and to promptly respond to any
32
cybersecurity incidents in accordance with its incident response and recovery plans. To facilitate the success of Apollo’s cybersecurity risk management program, multidisciplinary teams throughout Apollo are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the AGM audit committee or AGM board of directors, as appropriate.
As part of the risk management oversight (including oversight of cyber risks) of the audit committee of our board of directors, our audit committee regularly interacts with, and receives reports from, our management, the Manager, Apollo, and other service providers. The audit committee of our board of directors receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, at least annually, and they address a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to Apollo’s peers and third parties. Additionally, Apollo and other service providers periodically report to management as it relates to our cybersecurity practices.
Apollo’s cybersecurity incident response plan provides for proper escalation of identified cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of cybersecurity threats and incidents, assessment of cybersecurity risk profile or certain newly identified risks relevant to our company, the Manager, and evaluation of the adequacy of our cybersecurity program (as coordinated through the Manager and Apollo), including risk mitigation, compliance and controls.