|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
KKR’s asset management business has a cybersecurity incident response plan as a key component of its cybersecurity program, which is generally incorporated as part of KKR’s enterprise risk management program. The KKR CISO and KKR’s Chief Compliance Officer co-chair a cybersecurity incident response team (“KKR CIRT”), which aims to manage and mitigate the impact of cybersecurity breach events at KKR’s asset management business, including those arising from third-party service providers, including but not limited to, those providers that have access to KKR’s customer and employee data. Members of the KKR CIRT include members of the firm’s legal, technology, risk, public affairs, fundraising and finance groups. KREF has established a notification decision framework to determine when the KKR CIRT will provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including members of KREF management, and the KREF audit committee.
The KKR information security team undertakes a variety of measures to monitor and manage the cybersecurity risks of KKR’s asset management business. For example, the KKR information security team monitors KKR’s technology infrastructure with tools designed to detect suspicious behavior. KKR’s technology platforms and applications are designed to enable it to monitor user and network behavior at KKR’s asset management business, identify threats using certain analytics, and mitigate attacks across various layers of the enterprise. The KKR information security team conducts regular internal and external audits with third-party cybersecurity experts to identify and evaluate potential weaknesses in its cybersecurity systems. Some of these third-party monitoring functions continue throughout the year while other third-party security experts are periodically retained to audit specific areas of the cybersecurity program. In addition, the KKR information security team conducts periodic phishing simulations, and they also conduct periodic employee training on KKR’s security policies and controls and provide other security trainings as part of new employee onboarding. Additionally, the KKR CIRT conducts periodic tabletop exercises simulating a cybersecurity breach at KKR.
As of the date of this filing, we do not believe that our business strategy, results of operations or financial conditions have been materially affected by any cybersecurity incidents for the reporting period covered by this report. However, institutions like us, as well as our employees, service providers and other third parties, have experienced information security and cybersecurity attacks in the past and will likely continue to be the target of increasingly cyber actors. For a discussion of how risks from cybersecurity threats affect KREF’s business, see “Part 1. Item 1A. Risk Factors – Structural, Organizational and Operational Risks – Operational risks, including the risk of cyberattacks, may disrupt our business, result in losses or limit our growth” in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
KKR’s asset management business has a cybersecurity incident response plan as a key component of its cybersecurity program, which is generally incorporated as part of KKR’s enterprise risk management program. The KKR CISO and KKR’s Chief Compliance Officer co-chair a cybersecurity incident response team (“KKR CIRT”), which aims to manage and mitigate the impact of cybersecurity breach events at KKR’s asset management business, including those arising from third-party service providers, including but not limited to, those providers that have access to KKR’s customer and employee data. Members of the KKR CIRT include members of the firm’s legal, technology, risk, public affairs, fundraising and finance groups. KREF has established a notification decision framework to determine when the KKR CIRT will provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including members of KREF management, and the KREF audit committee.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
KREF is externally managed by our Manager. As an indirect subsidiary of KKR, our Manager is subject to and participates in KKR’s processes for assessing, identifying, and managing risks from cybersecurity threats, as detailed below.
KKR has a Chief Information Security Officer (the “KKR CISO”), who leads an information security team (the “KKR information security team”) that is responsible for information security at KKR’s asset management business, including its cybersecurity strategy and program, which includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about KKR’s security policies. The KKR information security team’s mandates can be broadly grouped into three categories: (i) operations and engineering, (ii) threat detection and response and (iii) governance.
The KKR information security team members have a variety of relevant skill sets and expertise. For example, prior to joining KKR, KKR’s CISO was the CISO at another large financial institution where he was responsible for their global information security program. KKR’s CISO also has prior experience in various information security roles, including security architecture, application security, engineering and operations. He holds a Bachelor of Science in computer science from the New York University Polytechnic School of Engineering, is a Certified Information Systems Security Professional (CISSP) and holds a Series 99 – Operations Professional Exam certification. In addition, KKR information security team members have various backgrounds in information security, including in financial services and critical infrastructure, and the team maintains various levels of certifications – including CISSP, GIAC security operations certification, certified information security manager, and other certifications focused on specific technologies.
The KKR CISO chairs the technology and information security risk committee for KKR’s asset management business, which consists of employees from the KKR’s technology group and other groups, including risk, legal and compliance. The technology and information security risk committee is responsible for overseeing the cybersecurity risk environment for KKR’s asset management business, which includes identifying and monitoring KKR’s technology risks, including those related to information security, business disruption, fraud and privacy related risks, and also promoting cybersecurity awareness at the firm.
Periodically, at least annually, KKR’s CISO and/or other members of the KKR information security team will present to the KREF audit committee on various topics relating to KKR's technology risks, including KKR’s cybersecurity program (including the results of cybersecurity table top exercises), cybersecurity issues (including those relating to data protection, insider threats, regulatory changes, and geopolitical cyber threat management), and risk management (including the results of periodic technology audits). For a discussion of how risks from cybersecurity threats affect KREF’s business, see “Part 1. Item
1A. Risk Factors – Structural, Organizational and Operational Risks – Operational risks, including the risk of cyberattacks, may disrupt our business, result in losses or limit our growth” in this Annual Report on Form 10-K.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
KKR has a Chief Information Security Officer (the “KKR CISO”), who leads an information security team (the “KKR information security team”) that is responsible for information security at KKR’s asset management business, including its cybersecurity strategy and program, which includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about KKR’s security policies. The KKR information security team’s mandates can be broadly grouped into three categories: (i) operations and engineering, (ii) threat detection and response and (iii) governance.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The KKR CISO chairs the technology and information security risk committee for KKR’s asset management business, which consists of employees from the KKR’s technology group and other groups, including risk, legal and compliance. The technology and information security risk committee is responsible for overseeing the cybersecurity risk environment for KKR’s asset management business, which includes identifying and monitoring KKR’s technology risks, including those related to information security, business disruption, fraud and privacy related risks, and also promoting cybersecurity awareness at the firm.
Periodically, at least annually, KKR’s CISO and/or other members of the KKR information security team will present to the KREF audit committee on various topics relating to KKR's technology risks, including KKR’s cybersecurity program (including the results of cybersecurity table top exercises), cybersecurity issues (including those relating to data protection, insider threats, regulatory changes, and geopolitical cyber threat management), and risk management (including the results of periodic technology audits). For a discussion of how risks from cybersecurity threats affect KREF’s business, see “Part 1. Item
1A. Risk Factors – Structural, Organizational and Operational Risks – Operational risks, including the risk of cyberattacks, may disrupt our business, result in losses or limit our growth” in this Annual Report on Form 10-K.
|Cybersecurity Risk Role of Management [Text Block]
|
KREF is externally managed by our Manager. As an indirect subsidiary of KKR, our Manager is subject to and participates in KKR’s processes for assessing, identifying, and managing risks from cybersecurity threats, as detailed below.
KKR has a Chief Information Security Officer (the “KKR CISO”), who leads an information security team (the “KKR information security team”) that is responsible for information security at KKR’s asset management business, including its cybersecurity strategy and program, which includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about KKR’s security policies. The KKR information security team’s mandates can be broadly grouped into three categories: (i) operations and engineering, (ii) threat detection and response and (iii) governance.
The KKR information security team members have a variety of relevant skill sets and expertise. For example, prior to joining KKR, KKR’s CISO was the CISO at another large financial institution where he was responsible for their global information security program. KKR’s CISO also has prior experience in various information security roles, including security architecture, application security, engineering and operations. He holds a Bachelor of Science in computer science from the New York University Polytechnic School of Engineering, is a Certified Information Systems Security Professional (CISSP) and holds a Series 99 – Operations Professional Exam certification. In addition, KKR information security team members have various backgrounds in information security, including in financial services and critical infrastructure, and the team maintains various levels of certifications – including CISSP, GIAC security operations certification, certified information security manager, and other certifications focused on specific technologies.
The KKR CISO chairs the technology and information security risk committee for KKR’s asset management business, which consists of employees from the KKR’s technology group and other groups, including risk, legal and compliance. The technology and information security risk committee is responsible for overseeing the cybersecurity risk environment for KKR’s asset management business, which includes identifying and monitoring KKR’s technology risks, including those related to information security, business disruption, fraud and privacy related risks, and also promoting cybersecurity awareness at the firm.
Periodically, at least annually, KKR’s CISO and/or other members of the KKR information security team will present to the KREF audit committee on various topics relating to KKR's technology risks, including KKR’s cybersecurity program (including the results of cybersecurity table top exercises), cybersecurity issues (including those relating to data protection, insider threats, regulatory changes, and geopolitical cyber threat management), and risk management (including the results of periodic technology audits). For a discussion of how risks from cybersecurity threats affect KREF’s business, see “Part 1. Item
1A. Risk Factors – Structural, Organizational and Operational Risks – Operational risks, including the risk of cyberattacks, may disrupt our business, result in losses or limit our growth” in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
KKR has a Chief Information Security Officer (the “KKR CISO”), who leads an information security team (the “KKR information security team”) that is responsible for information security at KKR’s asset management business, including its cybersecurity strategy and program, which includes, among other things, annual employee training about cybersecurity risks and new employee onboarding about KKR’s security policies. The KKR information security team’s mandates can be broadly grouped into three categories: (i) operations and engineering, (ii) threat detection and response and (iii) governance.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The KKR information security team members have a variety of relevant skill sets and expertise. For example, prior to joining KKR, KKR’s CISO was the CISO at another large financial institution where he was responsible for their global information security program. KKR’s CISO also has prior experience in various information security roles, including security architecture, application security, engineering and operations. He holds a Bachelor of Science in computer science from the New York University Polytechnic School of Engineering, is a Certified Information Systems Security Professional (CISSP) and holds a Series 99 – Operations Professional Exam certification. In addition, KKR information security team members have various backgrounds in information security, including in financial services and critical infrastructure, and the team maintains various levels of certifications – including CISSP, GIAC security operations certification, certified information security manager, and other certifications focused on specific technologies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Periodically, at least annually, KKR’s CISO and/or other members of the KKR information security team will present to the KREF audit committee on various topics relating to KKR's technology risks, including KKR’s cybersecurity program (including the results of cybersecurity table top exercises), cybersecurity issues (including those relating to data protection, insider threats, regulatory changes, and geopolitical cyber threat management), and risk management (including the results of periodic technology audits). For a discussion of how risks from cybersecurity threats affect KREF’s business, see “Part 1. Item
1A. Risk Factors – Structural, Organizational and Operational Risks – Operational risks, including the risk of cyberattacks, may disrupt our business, result in losses or limit our growth” in this Annual Report on Form 10-K.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef