XML 203 R32.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Technology is a key component of our business operations, and cybersecurity is a significant consideration for the firm. T. Rowe Price has a holistic firm-wide approach to risk management including material risks from cybersecurity threats. The firm’s overall risk management activities are designed to identify, assess, report, and manage risks that could affect the firm in achieving its objectives and goals. This risk management framework operates across our business lines and integrates business operational resiliency and technology related risks such as cybersecurity threats. As part of the firm’s risk identification and assessment framework, key risks from cybersecurity threats specific to our environment are identified and assessed for adequacy of controls. Management identifies risk inherent to cybersecurity threats, estimates the significance of the risks, assesses the likelihood of their occurrence, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor those risks. Action plans may be developed for identified control issues and management is responsible for addressing these issues
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Technology is a key component of our business operations, and cybersecurity is a significant consideration for the firm. T. Rowe Price has a holistic firm-wide approach to risk management including material risks from cybersecurity threats. The firm’s overall risk management activities are designed to identify, assess, report, and manage risks that could affect the firm in achieving its objectives and goals. This risk management framework operates across our business lines and integrates business operational resiliency and technology related risks such as cybersecurity threats. As part of the firm’s risk identification and assessment framework, key risks from cybersecurity threats specific to our environment are identified and assessed for adequacy of controls. Management identifies risk inherent to cybersecurity threats, estimates the significance of the risks, assesses the likelihood of their occurrence, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor those risks. Action plans may be developed for identified control issues and management is responsible for addressing these issues.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Although management is responsible for the firm’s day to day cybersecurity operations, the Board of Directors ("the Board") oversees the firm’s cybersecurity program. The Board does not delegate this responsibility to a committee, nor does the Board identify a cybersecurity expert to consider the firm’s activities and make recommendations or provide advice to the Board. Instead, many of our directors have significant technology experience gained through their prior work experience and through their positions on other boards of directors, all of which provides the Board with insight and practical guidance in overseeing the firm’s technology and operations as well as our continuing investment in and development of our cybersecurity program.

Our CEO has ultimate responsibility for developing strategy and overseeing execution to meet the firm’s objectives. The CEO has delegated to our Chief Operating Officer (COO) oversight of this operational execution. The COO has several leaders within the COO organization who develop and oversee the firm’s risk management, technology, and information security practices. These executive leaders play a critical role in cybersecurity risk management and strategy, as further described below.
Enterprise Risk is primarily responsible for reporting risks from cybersecurity threats to executive leadership and our Enterprise Risk Management Committee (ERMC). The ERMC supports the efforts of the CRO in providing corporate-wide oversight of our firm’s risk management efforts and provides a path for risk escalation. This committee monitors risk management activities, including cybersecurity matters, and reports periodically and more frequently, as necessary, to our Board of Directors and Audit Committee. For example, at each quarterly meeting the Audit Committee receives an update concerning the company’s cybersecurity metrics. In addition, at least annually the Board receives a technology and cybersecurity update led by the senior management from the company’s technology and information security teams. Cybersecurity risk management practices operate enterprise-wide, across T. Rowe Price legal entities, including Oak Hill Advisors (OHA). In addition, OHA has established an independent risk committee, which includes responsibilities for prompt escalation of key risks and incidents such as cybersecurity to the T. Rowe Price CRO.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
The firm’s Chief Risk Officer (CRO) leads the Enterprise Risk program, providing the framework and tools used by all business teams across the firm, including technology, to identify, assess, and manage risks from cybersecurity threats in coordination with the firm's Chief Information Security Officer (CISO). The Enterprise Risk team provides guidance and support in identifying, assessing, and monitoring all aspects of risks from cybersecurity threats. The Enterprise Risk function conducts risk assessments for technology and cybersecurity, and coordinates with Internal Audit and Global Compliance to provide risk assurance activities.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Enterprise Risk is primarily responsible for reporting risks from cybersecurity threats to executive leadership and our Enterprise Risk Management Committee (ERMC). The ERMC supports the efforts of the CRO in providing corporate-wide oversight of our firm’s risk management efforts and provides a path for risk escalation. This committee monitors risk management activities, including cybersecurity matters, and reports periodically and more frequently, as necessary, to our Board of Directors and Audit Committee. For example, at each quarterly meeting the Audit Committee receives an update concerning the company’s cybersecurity metrics. In addition, at least annually the Board receives a technology and cybersecurity update led by the senior management from the company’s technology and information security teams. Cybersecurity risk management practices operate enterprise-wide, across T. Rowe Price legal entities, including Oak Hill Advisors (OHA).
Cybersecurity Risk Role of Management [Text Block]
Enterprise Risk is primarily responsible for reporting risks from cybersecurity threats to executive leadership and our Enterprise Risk Management Committee (ERMC). The ERMC supports the efforts of the CRO in providing corporate-wide oversight of our firm’s risk management efforts and provides a path for risk escalation. This committee monitors risk management activities, including cybersecurity matters, and reports periodically and more frequently, as necessary, to our Board of Directors and Audit Committee. For example, at each quarterly meeting the Audit Committee receives an update concerning the company’s cybersecurity metrics. In addition, at least annually the Board receives a technology and cybersecurity update led by the senior management from the company’s technology and information security teams. Cybersecurity risk management practices operate enterprise-wide, across T. Rowe Price legal entities, including Oak Hill Advisors (OHA). In addition, OHA has established an independent risk committee, which includes responsibilities for prompt escalation of key risks and incidents such as cybersecurity to the T. Rowe Price CRO.

T. Rowe Price maintains documented Enterprise Incident Management and Reporting Policies and Procedures, outlining responsibilities and requirements for escalation of various types of incidents, including cybersecurity threats and incidents. Our process is designed to investigate incidents efficiently, identify root cause, communicate with the affected parties as appropriate, spot trends, and recommend improvements to mitigate risk. These procedures incorporate incident materiality determination within senior executive levels and operate firm-wide.

Global Technology and Business Unit management are also responsible for implementing internal controls to manage risks from cybersecurity threats to an appropriate level and in line with the firm’s risk appetite. Cybersecurity risks are managed across all lines of business, requiring support and participation across all levels in the organization. Within Global Technology, Enterprise Security is responsible for maintaining security policies, standards, and guidelines and routinely works with our Enterprise Risk, Compliance, Internal Audit, and other key technology and corporate stakeholders to establish security controls, enforce them, and monitor their adherence on an ongoing basis. Enterprise Security also conducts regular phishing tests and manages annual employee training
focused on raising awareness, highlighting the important role our employees play in protecting the firm from cybersecurity threats. Business Continuity and Disaster Recovery programs execute regular testing across business and technology teams to demonstrate resilience. The CISO regularly reviews the cybersecurity program and strategy with various risk committees, including the ERMC, Management Committee, and the Audit Committee. This ensures risks from cybersecurity threats are properly managed and our enterprise-wide cybersecurity program is aligned with the business needs and defined risk tolerances or risk appetite.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
The firm’s Chief Risk Officer (CRO) leads the Enterprise Risk program, providing the framework and tools used by all business teams across the firm, including technology, to identify, assess, and manage risks from cybersecurity threats in coordination with the firm's Chief Information Security Officer (CISO). The Enterprise Risk team provides guidance and support in identifying, assessing, and monitoring all aspects of risks from cybersecurity threats. The Enterprise Risk function conducts risk assessments for technology and cybersecurity, and coordinates with Internal Audit and Global Compliance to provide risk assurance activities.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Instead, many of our directors have significant technology experience gained through their prior work experience and through their positions on other boards of directors, all of which provides the Board with insight and practical guidance in overseeing the firm’s technology and operations as well as our continuing investment in and development of our cybersecurity program.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Although management is responsible for the firm’s day to day cybersecurity operations, the Board of Directors ("the Board") oversees the firm’s cybersecurity program. The Board does not delegate this responsibility to a committee, nor does the Board identify a cybersecurity expert to consider the firm’s activities and make recommendations or provide advice to the Board. Instead, many of our directors have significant technology experience gained through their prior work experience and through their positions on other boards of directors, all of which provides the Board with insight and practical guidance in overseeing the firm’s technology and operations as well as our continuing investment in and development of our cybersecurity program.

Our CEO has ultimate responsibility for developing strategy and overseeing execution to meet the firm’s objectives. The CEO has delegated to our Chief Operating Officer (COO) oversight of this operational execution. The COO has several leaders within the COO organization who develop and oversee the firm’s risk management, technology, and information security practices. These executive leaders play a critical role in cybersecurity risk management and strategy, as further described below.

The firm’s Chief Risk Officer (CRO) leads the Enterprise Risk program, providing the framework and tools used by all business teams across the firm, including technology, to identify, assess, and manage risks from cybersecurity threats in coordination with the firm's Chief Information Security Officer (CISO). The Enterprise Risk team provides guidance and support in identifying, assessing, and monitoring all aspects of risks from cybersecurity threats. The Enterprise Risk function conducts risk assessments for technology and cybersecurity, and coordinates with Internal Audit and Global Compliance to provide risk assurance activities.

Enterprise Risk is primarily responsible for reporting risks from cybersecurity threats to executive leadership and our Enterprise Risk Management Committee (ERMC). The ERMC supports the efforts of the CRO in providing corporate-wide oversight of our firm’s risk management efforts and provides a path for risk escalation. This committee monitors risk management activities, including cybersecurity matters, and reports periodically and more frequently, as necessary, to our Board of Directors and Audit Committee. For example, at each quarterly meeting the Audit Committee receives an update concerning the company’s cybersecurity metrics. In addition, at least annually the Board receives a technology and cybersecurity update led by the senior management from the company’s technology and information security teams. Cybersecurity risk management practices operate enterprise-wide, across T. Rowe Price legal entities, including Oak Hill Advisors (OHA). In addition, OHA has established an independent risk committee, which includes responsibilities for prompt escalation of key risks and incidents such as cybersecurity to the T. Rowe Price CRO.

T. Rowe Price maintains documented Enterprise Incident Management and Reporting Policies and Procedures, outlining responsibilities and requirements for escalation of various types of incidents, including cybersecurity threats and incidents. Our process is designed to investigate incidents efficiently, identify root cause, communicate with the affected parties as appropriate, spot trends, and recommend improvements to mitigate risk. These procedures incorporate incident materiality determination within senior executive levels and operate firm-wide.

Global Technology and Business Unit management are also responsible for implementing internal controls to manage risks from cybersecurity threats to an appropriate level and in line with the firm’s risk appetite. Cybersecurity risks are managed across all lines of business, requiring support and participation across all levels in the organization. Within Global Technology, Enterprise Security is responsible for maintaining security policies, standards, and guidelines and routinely works with our Enterprise Risk, Compliance, Internal Audit, and other key technology and corporate stakeholders to establish security controls, enforce them, and monitor their adherence on an ongoing basis. Enterprise Security also conducts regular phishing tests and manages annual employee training
focused on raising awareness, highlighting the important role our employees play in protecting the firm from cybersecurity threats. Business Continuity and Disaster Recovery programs execute regular testing across business and technology teams to demonstrate resilience. The CISO regularly reviews the cybersecurity program and strategy with various risk committees, including the ERMC, Management Committee, and the Audit Committee. This ensures risks from cybersecurity threats are properly managed and our enterprise-wide cybersecurity program is aligned with the business needs and defined risk tolerances or risk appetite.

The cybersecurity program includes regular assessment on the effectiveness of the firm's risk mitigation strategies. Assessments include third-party validation to help ensure our internal controls and safeguards adhere to security and compliance standards. We annually undergo external examinations, such as Sarbanes-Oxley relating to financial reporting, System and Organization Controls (SOC) 1, and SOC 2 for key operational Business Units. In addition, we periodically engage with third-party partners to perform an independent evaluation of our cybersecurity program as well as external network penetration testing. This complements our internal assessments, such as application security testing, vulnerability management, and penetration testing. The firm participates in various industry threat intelligence information sharing forums to stay current on evolving cyber risks and threats. The results of these assessments are discussed with and reviewed by the Audit Committee, and shared with the Board, annually.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true