|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity Processes and Risk Assessment
Fortress’s cybersecurity program is focused on (i) protecting the confidentiality of business, client, investors in its
funds and its employee information; (ii) maintaining the security and availability of systems and data; (iii) supporting
compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and its responses; and (v)
notification of cybersecurity incidents to, and communications with, appropriate internal and external parties.
Fortress has implemented an information security governance policy governing cybersecurity risk, which is
designed to facilitate the protection of sensitive or confidential business, client, investor and any employee information that
it stores or processes, and the maintenance of critical services and systems. Fortress’s cybersecurity program is managed by
Fortress’s Chief Information Security Officer and Fortress’s Chief Technology Officer (together, “Fortress IT
Management”), who report to Fortress’s Chief Financial Officer. Fortress IT Management and their team are responsible
for implementing Fortress’s monitoring and alert response processes, vulnerability management, changes made to its
critical systems, including software and network changes, and various other technological and administrative safeguards.
These processes and systems are designed to protect against unauthorized access of information, including by cyber-
attacks, and Fortress’s policy and processes include, as appropriate, encryption, data loss prevention technology,
authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission
of data over private networks. Fortress’s processes and systems aim to prevent or mitigate two main types of cybersecurity
risk: first, cybersecurity risks associated with its physical and digital devices and infrastructure and second, cybersecurity
risks associated with third parties, such as people and organizations who have access to its devices, infrastructure or
confidential or sensitive information. The cybersecurity-control principles that form the basis of Fortress’s cybersecurity
program are informed by the National Institute of Standards and Technology Cybersecurity Framework.
Fortress’s cybersecurity program includes review and assessment by third parties of the cybersecurity processes
and systems. These third parties assess and report on Fortress’s deployment of cybersecurity best practices and industry
frameworks and help to identify areas for continued focus and improvement. Annual penetration testing of its network,
including critical systems and systems that store confidential or sensitive information, is conducted with third party
consultants and vulnerabilities are reviewed by Fortress IT Management for remediation. When Fortress engages vendors
and other third-party partners who will have access to sensitive data or client systems and facilities, its infrastructure
technology team assesses their cybersecurity programs and processes.
Fortress also provides its employees with cybersecurity awareness training at onboarding and annually, as well as
interim security reminders and alerts. Fortress conducts regular phishing tests and provides additional training as
appropriate.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Fortress has implemented an information security governance policy governing cybersecurity risk, which is
designed to facilitate the protection of sensitive or confidential business, client, investor and any employee information that
it stores or processes, and the maintenance of critical services and systems. Fortress’s cybersecurity program is managed by
Fortress’s Chief Information Security Officer and Fortress’s Chief Technology Officer (together, “Fortress IT
Management”), who report to Fortress’s Chief Financial Officer. Fortress IT Management and their team are responsible
for implementing Fortress’s monitoring and alert response processes, vulnerability management, changes made to its
critical systems, including software and network changes, and various other technological and administrative safeguards.
These processes and systems are designed to protect against unauthorized access of information, including by cyber-
attacks, and Fortress’s policy and processes include, as appropriate, encryption, data loss prevention technology,
authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission
of data over private networks. Fortress’s processes and systems aim to prevent or mitigate two main types of cybersecurity
risk: first, cybersecurity risks associated with its physical and digital devices and infrastructure and second, cybersecurity
risks associated with third parties, such as people and organizations who have access to its devices, infrastructure or
confidential or sensitive information. The cybersecurity-control principles that form the basis of Fortress’s cybersecurity
program are informed by the National Institute of Standards and Technology Cybersecurity Framework.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Company's board of trustees has delegated the primary responsibility for oversight and review of guidelines
and policies with respect to risk assessment and risk management to an audit committee of the board of trustees (the “AuditCommittee”).
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company's board of trustees has delegated the primary responsibility for oversight and review of guidelines
and policies with respect to risk assessment and risk management to an audit committee of the board of trustees (the “AuditCommittee”).
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|periodically reports to the Audit Committee as well as the full board of trustees as
appropriate, on cybersecurity matters. Such reporting includes updates on Fortress’s cybersecurity program, the external
threat environment and Fortress’s programs to address and mitigate the risks associated with the evolving cybersecurity
threat environment. These reports also include updates on Fortress’s preparedness, prevention, detection, responsiveness
and recovery with respect to cyber incidents.
|Cybersecurity Risk Role of Management [Text Block]
|Fortress has developed an incident response framework to identify, assess and manage cybersecurity events. The
framework is managed and implemented by Fortress’s Enterprise Security Steering Committee (the "ESSC"), a cross-
functional management committee that includes its General Counsel, Chief Financial Officer, Chief Operating Officer,
Chief Compliance Officer, Chief Human Resources Officer and Fortress IT Management. The ESSC is responsible for
gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as
communicating with business heads and senior management, as appropriate. This framework contemplates conducting
simulated cybersecurity incident response exercises with members of senior management on an interim basis in
coordination with external cyber counsel.
Fortress’s cybersecurity program, which is overseen by the ESSC, is managed by an internal team that is
responsible for enterprise-wide cybersecurity strategy, policies, engineering and processes. The team is led by Fortress’s
Chief Technology Officer, who has over 30 years of experience advising on technology strategy, including digital
transformation, cybersecurity, business analytics and infrastructure, and Fortress’s Chief Information Security Officer, who
has over 20 years of experience in the information technology field with a focus on IT risk governance and management,
information security, incident response capabilities and assessing effectiveness of controls. The ESSC meets regularly and
forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of Fortress’s cybersecurity
program.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Fortress has developed an incident response framework to identify, assess and manage cybersecurity events. The
framework is managed and implemented by Fortress’s Enterprise Security Steering Committee (the "ESSC"), a cross-
functional management committee that includes its General Counsel, Chief Financial Officer, Chief Operating Officer,
Chief Compliance Officer, Chief Human Resources Officer and Fortress IT Management. The ESSC is responsible for
gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as
communicating with business heads and senior management, as appropriate. This framework contemplates conducting
simulated cybersecurity incident response exercises with members of senior management on an interim basis in
coordination with external cyber counsel.
Fortress’s cybersecurity program, which is overseen by the ESSC, is managed by an internal team that is
responsible for enterprise-wide cybersecurity strategy, policies, engineering and processes. The team is led by Fortress’s
Chief Technology Officer, who has over 30 years of experience advising on technology strategy, including digital
transformation, cybersecurity, business analytics and infrastructure, and Fortress’s Chief Information Security Officer, who
has over 20 years of experience in the information technology field with a focus on IT risk governance and management,
information security, incident response capabilities and assessing effectiveness of controls. The ESSC meets regularly and
forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of Fortress’s cybersecurity
program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Fortress’s cybersecurity program, which is overseen by the ESSC, is managed by an internal team that is
responsible for enterprise-wide cybersecurity strategy, policies, engineering and processes. The team is led by Fortress’s
Chief Technology Officer, who has over 30 years of experience advising on technology strategy, including digital
transformation, cybersecurity, business analytics and infrastructure, and Fortress’s Chief Information Security Officer, who
has over 20 years of experience in the information technology field with a focus on IT risk governance and management,
information security, incident response capabilities and assessing effectiveness of controls. The ESSC meets regularly and
forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of Fortress’s cybersecurity
program.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company's board of trustees has delegated the primary responsibility for oversight and review of guidelines
and policies with respect to risk assessment and risk management to an audit committee of the board of trustees (the “Audit
Committee”). The Company's CFO periodically reports to the Audit Committee as well as the full board of trustees as
appropriate, on cybersecurity matters. Such reporting includes updates on Fortress’s cybersecurity program, the external
threat environment and Fortress’s programs to address and mitigate the risks associated with the evolving cybersecurity
threat environment. These reports also include updates on Fortress’s preparedness, prevention, detection, responsiveness
and recovery with respect to cyber incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef