|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
Blackstone maintains a comprehensive cybersecurity program, including policies and procedures designed to protect our systems, operations and the data entrusted to us by our investors, employees, portfolio companies and business partners from anticipated threats or hazards. Blackstone utilizes a variety of protective measures as a part of its cybersecurity program. These measures include, where appropriate, physical and digital access controls, patch management, identity verification and mobile device management software, new hire and annual employee cybersecurity awareness and best practices training programs, security baselines and tools to report anomalous activity, and monitoring of data usage, hardware and software.
We test our cybersecurity defenses regularly through automated and manual vulnerability scanning, to identify and remediate critical vulnerabilities. In addition, we conduct annual “white hat” penetration tests to validate our security posture. We examine our cybersecurity program every two to three years with third parties, evaluating its effectiveness in part by considering industry standards and established frameworks, such as the National Institute of Standards and Technology and Center for Internet Security, as guidelines. Further, we engage in cybersecurity incident tabletop exercises and scenario planning exercises involving hypothetical cybersecurity incidents to test our cybersecurity incident response processes. Our Chief Security Officer (the “CSO”) and members of senior management, Legal and Compliance, Technology and Innovations (“BXTI”) and Global Corporate Affairs participate in these exercises. Learnings from these tabletop exercises and any cybersecurity events we experience are reviewed, discussed and incorporated into our cybersecurity incident response processes, as appropriate.
In addition to our internal exercises to test aspects of our cybersecurity program, we periodically engage independent third parties to analyze data on the interactions of users of our information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of our cybersecurity systems and processes.
We have a comprehensive Security Incident Response Plan (the “IRP”) designed to inform the proper escalation of
non-routinesuspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a Security Incident Response Team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate the event and determine the extent of external advisor support required, including from external counsel, forensic investigators, and/or law enforcement. The IRP sets out ongoing monitoring or remediating actions to be taken after resolution of an incident. The IRP is reviewed at least annually by members of BXTI and Legal and Compliance.
Blackstone maintains a formal cybersecurity risk management process and cybersecurity risk register, designed to identify, track and treat cybersecurity risks at the firm, and integrates these processes into the firm’s overall risk management practices described above. Our CSO periodically discusses and reviews cybersecurity risks and related mitigants with our enterprise risk committee and incorporates relevant cybersecurity risk updates and metrics in the semi-annual enterprise-wide risk management report.
Blackstone has a process designed to assess the cybersecurity risks associated with the engagement of
third-partyvendors. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of Blackstone data accessed or processed by a third-party vendor. On the basis of its preliminary risk assessment of a third-party vendor, Blackstone may conduct further cybersecurity reviews or request remediation of, or contractual protections related to, any actual or potential identified cybersecurity risks.
81
In addition, where appropriate, Blackstone seeks to include in its contractual arrangements with certain of its third-party vendors provisions addressing its requirements and industry best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit and test such vendors’ cybersecurity programs and practices. Blackstone also utilizes a number of digital controls, which are reviewed at least annually, to monitor and manage third-party access to its internal systems and data.
For a discussion of how risks from cybersecurity threats affect our business, see “—Item 1A. Risk Factors — Risk Related to our Business — Cybersecurity and data protection risks could result in the loss of data, interruptions in our business, and damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations.” in this Annual Report on
Form 10-K.
Cybersecurity Governance
Blackstone has a dedicated cybersecurity team, led by our CSO, who works closely with our senior management, including our Chief Technology Officer (“CTO”), to develop and advance the firm’s cybersecurity program and strategy.
Our CSO and CTO have extensive experience in cybersecurity and technology, respectively. Our CSO is a Senior Managing Director in BXTI and is responsible for all aspects of cyber and physical security across Blackstone. He has over 25 years of information security, technology and engineering experience, including having previously led the international security organization at a large credit bureau.
Our CTO is a Senior Managing Director and the head of BXTI. Our CTO has over 23 years of information security, technology and engineering experience, including having previously served as the Chief Technology and Chief Innovation Officer at a large financial institution. Our CTO is responsible for all aspects of technology across Blackstone, advises our investment teams and acts as a resource to portfolio companies on technology-related matters.
BXTI conducts periodic cybersecurity risk assessments, including assessments or audits of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The CSO and CTO are responsible for the review of Blackstone’s cybersecurity framework annually as well as on an event-driven basis as necessary. The CSO and CTO also review the scope of our cybersecurity measures periodically, including in the event of a change in business practices that may implicate the security or integrity of our information and systems.
Blackstone’s board of directors is responsible for understanding the primary risks to our business. The audit
committeeof our board of directors is responsible for reviewing with management the areas of material risk to our operations and financial results (including, without limitation, applicable major financial and cybersecurity risks and exposures) and our guidelines and policies with respect to risk assessment and risk management. Blackstone’s CSO reports to the board of directors and the audit committee of the board of directors at least annually on cybersecurity matters, including risks. These reports also include, as applicable, an overview of cybersecurity incidents. Additionally, the CSO provides quarterly updates to management on Blackstone’s cybersecurity risks and program developments.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Blackstone maintains a formal cybersecurity risk management process and cybersecurity risk register, designed to identify, track and treat cybersecurity risks at the firm, and integrates these processes into the firm’s overall risk management practices described above. Our CSO periodically discusses and reviews cybersecurity risks and related mitigants with our enterprise risk committee and incorporates relevant cybersecurity risk updates and metrics in the semi-annual enterprise-wide risk management report.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|For a discussion of how risks from cybersecurity threats affect our business, see “—Item 1A. Risk Factors — Risk Related to our Business — Cybersecurity and data protection risks could result in the loss of data, interruptions in our business, and damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations.” in this Annual Report on
Form 10-K.
|Cybersecurity Risk Role of Management [Text Block]
|The audit
committeeof our board of directors is responsible for reviewing with management the areas of material risk to our operations and financial results (including, without limitation, applicable major financial and cybersecurity risks and exposures) and our guidelines and policies with respect to risk assessment and risk management.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The audit
committeeof our board of directors is responsible for reviewing with management the areas of material risk to our operations and financial results (including, without limitation, applicable major financial and cybersecurity risks and exposures) and our guidelines and policies with respect to risk assessment and risk management. Blackstone’s CSO reports to the board of directors and the audit committee of the board of directors at least annually on cybersecurity matters, including risks. These reports also include, as applicable, an overview of cybersecurity incidents. Additionally, the CSO provides quarterly updates to management on Blackstone’s cybersecurity risks and program developments.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CSO and CTO have extensive experience in cybersecurity and technology, respectively. Our CSO is a Senior Managing Director in BXTI and is responsible for all aspects of cyber and physical security across Blackstone. He has over 25 years of information security, technology and engineering experience, including having previously led the international security organization at a large credit bureau.
Our CTO is a Senior Managing Director and the head of BXTI. Our CTO has over 23 years of information security, technology and engineering experience, including having previously served as the Chief Technology and Chief Innovation Officer at a large financial institution. Our CTO is responsible for all aspects of technology across Blackstone, advises our investment teams and acts as a resource to portfolio companies on technology-related matters.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Blackstone’s board of directors is responsible for understanding the primary risks to our business.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef