Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We maintain a comprehensive cybersecurity program designed to protect our systems, operations and data from unauthorized access, theft and destruction. Our program is built around written policies and procedures, including our information security policy and incident response policy, which apply across Hamilton Lane and are reviewed and updated on a recurring basis. As part of this program, we utilize a variety of preventive and detective measures, including: •reviews of network access rights and controls; •vulnerability management and penetration testing performed by independent third parties, with identified issues triaged, remediated and validated through our documented change process; •patch management and configuration hardening of critical infrastructure and endpoints; •annual security awareness training for all employees and contingent workers, supplemented by ongoing monthly phishing simulations, micro‑trainings and a security champions recognition program; •centralized security information and event management tooling, which aggregates logs and telemetry to identify anomalies and trigger alerts; high-severity events are routed to our managed detection and response service provider, which provides around-the-clock monitoring and response capabilities; •periodic security review meetings and risk assessments designed to identify vulnerabilities, track remediation, and inform risk treatment decisions; and •a vendor risk management program that evaluates cybersecurity controls at third‑party service providers, including diligence questionnaires, review of independent assurance reports where available, and contractual provisions addressing security, audit and breach notification obligations. We also conduct periodic tabletop exercises and scenario‑based drills, including cloud‑focused incident simulations, to test our ability to coordinate across technology, legal, compliance, risk and business teams and to translate policies into practical playbooks. Incident Response and Management Our incident response policy provides the framework for identifying, escalating and responding to security incidents. Among other things, it: •defines what constitutes a “security breach” and a “cybersecurity incident”; •sets breach response goals, including verification that an incident occurred, maintenance or restoration of business continuity, reduction of impact, root‑cause analysis, prevention of recurrence, and documentation in an incident repository; and •establishes timelines and responsibilities for triage, mitigation, remediation and communication. For significant events, our incident response policy designates an incident manager, a cross-functional security incident response team and a crisis response team to coordinate containment, investigation, remediation and communications across the technology, compliance, legal and finance teams and business leadership. Our incident response policy includes procedures to: •classify incidents by severity (low, medium, high, critical) and align escalation and response timelines accordingly; •preserve forensic evidence and maintain appropriate chain of custody; and •assess the materiality of cybersecurity incidents and determine whether disclosure on Form 8‑K is required under SEC rules. These processes apply both to our own information systems and, where applicable, to third‑party systems that process or store our data. Integration With Enterprise Risk Management and Strategy Cybersecurity risk management is integrated into our broader enterprise risk management framework. Our ERM committee meets at least quarterly and considers cybersecurity as part of its regular agenda. The Head of End User Technology and Information Security provides formal cybersecurity updates to the ERM committee at least twice annually, with additional updates as needed in response to specific issues or incidents. Cybersecurity risk is also incorporated into our client and product strategy. For example, we routinely provide institutional clients with responses to cybersecurity questionnaires, participate in diligence discussions on our security controls (including penetration testing results, monitoring capabilities and recovery objectives), and adjust our control environment and documentation in response to evolving client and regulatory expectation. To date, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. As discussed more fully under “Risk Factors” in Part I, Item 1A of this Form 10-K, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. No matter how well designed or implemented our cybersecurity controls are, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against cybersecurity breaches in a timely manner. See “Risk Factors— Failure to maintain the security of our information technology networks, or those of our third-party service providers, or data security breaches could result in loss of data, interruptions in our business, harm to our reputation and have a material adverse effect on our results of operations, financial condition and cash flow” in Part I, Item 1A of this Form 10‑K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We maintain a comprehensive cybersecurity program designed to protect our systems, operations and data from unauthorized access, theft and destruction. Our program is built around written policies and procedures, including our information security policy and incident response policy, which apply across Hamilton Lane and are reviewed and updated on a recurring basis. As part of this program, we utilize a variety of preventive and detective measures, including: •reviews of network access rights and controls; •vulnerability management and penetration testing performed by independent third parties, with identified issues triaged, remediated and validated through our documented change process; •patch management and configuration hardening of critical infrastructure and endpoints; •annual security awareness training for all employees and contingent workers, supplemented by ongoing monthly phishing simulations, micro‑trainings and a security champions recognition program; •centralized security information and event management tooling, which aggregates logs and telemetry to identify anomalies and trigger alerts; high-severity events are routed to our managed detection and response service provider, which provides around-the-clock monitoring and response capabilities; •periodic security review meetings and risk assessments designed to identify vulnerabilities, track remediation, and inform risk treatment decisions; and •a vendor risk management program that evaluates cybersecurity controls at third‑party service providers, including diligence questionnaires, review of independent assurance reports where available, and contractual provisions addressing security, audit and breach notification obligations. We also conduct periodic tabletop exercises and scenario‑based drills, including cloud‑focused incident simulations, to test our ability to coordinate across technology, legal, compliance, risk and business teams and to translate policies into practical playbooks.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our board of directors has delegated primary oversight of our cybersecurity risks to the audit committee. The audit committee: •reviews our information technology and data protection strategies; •oversees and assesses risk with respect to cyberattacks and data privacy matters; and •receives regular updates from management on our cybersecurity program, key risks, significant incidents (if any) and related remediation activities, at least twice annually in connection with its broader risk and cybersecurity agenda.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Management is responsible for day‑to‑day cybersecurity risk management, including implementation and operation of our cybersecurity program. Key roles include: •our chief compliance and risk officer, who has ultimate accountability for cybersecurity strategy and is responsible for regulatory compliance and breach reporting to applicable authorities, including leading materiality assessments and regulatory notice decisions for cybersecurity incidents. Before joining Hamilton Lane in 2021, he held senior compliance roles at Sixth Street Partners, GCM Grosvenor and Apollo Global Management, with responsibility for implementing and overseeing global compliance programs, conducting strategic risk analysis, enhancing controls in response to regulatory and business developments, supervising regulatory filings and examinations, and managing compliance across multiple jurisdictions. This officer also has experience overseeing compliance matters relating to cybersecurity, confidentiality, recordkeeping, and vendor risk management, and previously practiced securities law at an international law firm. •our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. •other senior leaders, including our chief operating officer, general counsel and chief financial Officer, participate in the cybersecurity incident disclosure response team and crisis response team as appropriate based on the nature and severity of a given issue.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Management is responsible for day‑to‑day cybersecurity risk management, including implementation and operation of our cybersecurity program. Key roles include: •our chief compliance and risk officer, who has ultimate accountability for cybersecurity strategy and is responsible for regulatory compliance and breach reporting to applicable authorities, including leading materiality assessments and regulatory notice decisions for cybersecurity incidents. Before joining Hamilton Lane in 2021, he held senior compliance roles at Sixth Street Partners, GCM Grosvenor and Apollo Global Management, with responsibility for implementing and overseeing global compliance programs, conducting strategic risk analysis, enhancing controls in response to regulatory and business developments, supervising regulatory filings and examinations, and managing compliance across multiple jurisdictions. This officer also has experience overseeing compliance matters relating to cybersecurity, confidentiality, recordkeeping, and vendor risk management, and previously practiced securities law at an international law firm. •our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. •other senior leaders, including our chief operating officer, general counsel and chief financial Officer, participate in the cybersecurity incident disclosure response team and crisis response team as appropriate based on the nature and severity of a given issue. Management is informed about the prevention, detection, mitigation and remediation of cybersecurity incidents through: •periodic risk assessments and security review meetings that escalate significant findings and remediation plans; •results of independent audits, penetration tests and System and Organization Controls examinations; and •output from tabletop exercises and incident post‑mortems, including action items and ownership for improvements.
|
| Cybersecurity Risk Role of Management [Text Block] | Management is responsible for day‑to‑day cybersecurity risk management, including implementation and operation of our cybersecurity program. Key roles include: •our chief compliance and risk officer, who has ultimate accountability for cybersecurity strategy and is responsible for regulatory compliance and breach reporting to applicable authorities, including leading materiality assessments and regulatory notice decisions for cybersecurity incidents. Before joining Hamilton Lane in 2021, he held senior compliance roles at Sixth Street Partners, GCM Grosvenor and Apollo Global Management, with responsibility for implementing and overseeing global compliance programs, conducting strategic risk analysis, enhancing controls in response to regulatory and business developments, supervising regulatory filings and examinations, and managing compliance across multiple jurisdictions. This officer also has experience overseeing compliance matters relating to cybersecurity, confidentiality, recordkeeping, and vendor risk management, and previously practiced securities law at an international law firm. •our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. •other senior leaders, including our chief operating officer, general counsel and chief financial Officer, participate in the cybersecurity incident disclosure response team and crisis response team as appropriate based on the nature and severity of a given issue. Management is informed about the prevention, detection, mitigation and remediation of cybersecurity incidents through: •periodic risk assessments and security review meetings that escalate significant findings and remediation plans; •results of independent audits, penetration tests and System and Organization Controls examinations; and •output from tabletop exercises and incident post‑mortems, including action items and ownership for improvements. Information about cybersecurity risks and incidents is communicated to the board and its committees through: •twice annual and ad hoc presentations by our chief compliance and risk officer or senior technology and security leaders to the audit committee covering threat trends, control enhancements, incident activity and key initiatives; •periodic reporting to the ERM committee and other management committees, which in turn inform the board on enterprise‑wide risk; and •escalation provisions in our incident response policy that require timely notification of senior management and, where appropriate, the board of directors for high and critical incidents or potentially material events.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Management is responsible for day‑to‑day cybersecurity risk management, including implementation and operation of our cybersecurity program. Key roles include: •our chief compliance and risk officer, who has ultimate accountability for cybersecurity strategy and is responsible for regulatory compliance and breach reporting to applicable authorities, including leading materiality assessments and regulatory notice decisions for cybersecurity incidents. Before joining Hamilton Lane in 2021, he held senior compliance roles at Sixth Street Partners, GCM Grosvenor and Apollo Global Management, with responsibility for implementing and overseeing global compliance programs, conducting strategic risk analysis, enhancing controls in response to regulatory and business developments, supervising regulatory filings and examinations, and managing compliance across multiple jurisdictions. This officer also has experience overseeing compliance matters relating to cybersecurity, confidentiality, recordkeeping, and vendor risk management, and previously practiced securities law at an international law firm. •our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. •other senior leaders, including our chief operating officer, general counsel and chief financial Officer, participate in the cybersecurity incident disclosure response team and crisis response team as appropriate based on the nature and severity of a given issue.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Management is responsible for day‑to‑day cybersecurity risk management, including implementation and operation of our cybersecurity program. Key roles include: •our chief compliance and risk officer, who has ultimate accountability for cybersecurity strategy and is responsible for regulatory compliance and breach reporting to applicable authorities, including leading materiality assessments and regulatory notice decisions for cybersecurity incidents. Before joining Hamilton Lane in 2021, he held senior compliance roles at Sixth Street Partners, GCM Grosvenor and Apollo Global Management, with responsibility for implementing and overseeing global compliance programs, conducting strategic risk analysis, enhancing controls in response to regulatory and business developments, supervising regulatory filings and examinations, and managing compliance across multiple jurisdictions. This officer also has experience overseeing compliance matters relating to cybersecurity, confidentiality, recordkeeping, and vendor risk management, and previously practiced securities law at an international law firm. •our head of end user technology and information security, who leads our security engineering, security operations and end‑user technology functions and serves as a primary incident commander and technical lead under our incident response policy. He has over 15 years of experience in information technology and cybersecurity, including leadership of our end-user technology and information security functions and prior technical roles at Amazon and General Electric. •other senior leaders, including our chief operating officer, general counsel and chief financial Officer, participate in the cybersecurity incident disclosure response team and crisis response team as appropriate based on the nature and severity of a given issue. Management is informed about the prevention, detection, mitigation and remediation of cybersecurity incidents through: •periodic risk assessments and security review meetings that escalate significant findings and remediation plans; •results of independent audits, penetration tests and System and Organization Controls examinations; and •output from tabletop exercises and incident post‑mortems, including action items and ownership for improvements. Information about cybersecurity risks and incidents is communicated to the board and its committees through: •twice annual and ad hoc presentations by our chief compliance and risk officer or senior technology and security leaders to the audit committee covering threat trends, control enhancements, incident activity and key initiatives; •periodic reporting to the ERM committee and other management committees, which in turn inform the board on enterprise‑wide risk; and •escalation provisions in our incident response policy that require timely notification of senior management and, where appropriate, the board of directors for high and critical incidents or potentially material events. Through this governance structure, we seek to ensure that cybersecurity considerations are embedded in our overall risk management and strategic decision‑making processes and that the board and management receive timely, decision‑useful information about material cybersecurity risks and incidents, consistent with Regulation S‑K Item 106 and related SEC guidance.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |