PART II
ITEM 13. DEFAULTS, DIVIDEND ARREARAGES AND DELINQUENCIES
Not applicable.
ITEM 14. MATERIAL MODIFICATIONS TO THE RIGHTS OF SECURITY HOLDERS AND USE OF PROCEEDS
Not applicable.
ITEM 15. CONTROLS AND PROCEDURES
A. Disclosure Controls and Procedures
We carried out an evaluation, under the supervision and with the participation of our management, including our Chief Executive Officer and our Senior Vice President and Chief Financial Officer, of the effectiveness of the design and operation of our disclosure controls and procedures (as defined in Rules 13a-15(e) and 15d-15(e) under the Exchange Act) as of the end of the period covered by this Annual Report. Based upon management's evaluation of these disclosure controls and procedures, our Chief Executive Officer and our Senior Vice President and Chief Financial Officer concluded, as of the end of the period covered by this Annual Report, that our disclosure controls and procedures were effective.
Our disclosure controls and procedures and internal control over financial reporting are designed to provide reasonable assurance of achieving the desired control objectives. Our senior management recognizes that any control system, no matter how well designed and operated, is based upon certain judgments and assumptions and cannot provide absolute assurance that its objectives will be met. Similarly, an evaluation of controls cannot provide absolute assurance that misstatements due to error or fraud will not occur or that all control issues and instances of fraud, if any, have been detected.
B. Management's Annual Report on Internal Control Over Financial Reporting
We are responsible for establishing and maintaining adequate internal control over financial reporting as defined in Rules 13a-15(f) and 15d-15(f) under the Exchange Act. Our internal control over financial reporting is designed to provide reasonable assurance regarding the reliability of our financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.
We assessed our internal control over financial reporting as of December 31, 2024 and based our assessment on criteria established in Internal Control-Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Based on our assessment, we have concluded that our internal control over financial reporting was effective as of December 31, 2024.
Our independent registered public accounting firm, Deloitte & Touche LLP, was not required to perform an evaluation of our internal control over financial reporting as of December 31, 2024.
C. Attestation Report of Registered Public Accounting Firm
Refer to statement in Section (B) above. As a non-accelerated filer, we may take advantage of certain exemptions from various reporting requirements, including, but not limited to, not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act (and the SEC rules and regulations thereunder). Management’s report was not subject to attestation by the Company’s independent registered public accounting firm pursuant to rules of the SEC that permit the Company to provide only management’s report in this Annual Report.
D. Changes in Internal Control Over Financial Reporting
There were no changes in our internal control over financial reporting identified in management's evaluation pursuant to Rules 13a-15(d) or 15d-15(d) of the Exchange Act during the period covered by this Annual Report that materially affected, or are reasonably likely to materially affect, our internal control over financial reporting.
ITEM 16. [RESERVED]
ITEM 16A. AUDIT COMMITTEE FINANCIAL EXPERT
In accordance with NYSE rules applicable to foreign private issuers, as further discussed in Item 16.G, "Corporate Governance", we maintain an Audit Committee of the Board of Directors. As of the date of this Annual Report, Ms. Pizzuto was the sole member of the Audit Committee. Our Board, after reviewing all of the relevant facts, circumstances and attributes, has determined that Ms. Pizzuto qualifies as an "audit committee financial expert" as defined in Item 16A of Form 20-F. In addition, the Board has determined that Ms. Pizzuto is independent as that term is defined in Rule 10A-3 under the Exchange Act.
ITEM 16B. CODE OF ETHICS
We have adopted a Code of Conduct that applies to all of our directors, employees and officers (including our principal executive officer, principal financial officer, principal accounting officer or controller, and persons performing similar functions). The Code of Conduct, which is designed to help officers, directors and employees conduct business in an ethical and legal manner, covers topics including but not limited to conflicts of interest, confidentiality of information and compliance with laws and regulations. In addition, we also have a Code of Ethics for Chief Executive and Senior Financial Officers. Our Code of Conduct and Code of Ethics for Chief Executive and Senior Financial Officers are available, free of charge, within the Corporate Governance portion of the "Investors" section of our website. Copies of these documents may also be obtained by sending a request in writing to our Corporate Secretary at Triton International Limited, Victoria Place, 5th Floor, 31 Victoria Street, Hamilton HM 10, Bermuda.
During 2024, no waivers or amendments were made to the Code of Conduct for any of our directors or executive officers or the Code of Ethics for Chief Executive and Senior Financial Officers. If we make any substantive amendment to, or grant a waiver from, a provision of the Code of Conduct (to the extent applicable to certain officers and our directors) or the Code of Ethics for Chief Executive and Senior Financial Officers, we will disclose the nature of the amendment or waiver on our website at www.trtn.com, to the extent required by applicable law or regulation.
ITEM 16C. PRINCIPAL ACCOUNTANT FEES AND SERVICES
Our independent registered public accounting firm is Deloitte & Touche LLP ("Deloitte"), New York, NY, Auditor Firm ID: 34.
KPMG LLP ("KPMG") served as the independent registered public accounting firm for the Company for the period from July 12, 2016 (inception) through the year ended December 31, 2022, and the subsequent interim period until September 28, 2023. On September 28, 2023, our Audit Committee approved the change in the Company’s independent registered public accounting firm, effective September 28, 2023, to Deloitte.
The following table represents the aggregate fees from our current principal accountant, Deloitte, for the years ended December 31, 2024 and 2023 and our former principal accountant, KPMG, for the years ended December 31, 2024 and 2023:
| | | | | | | | | | | | | | | | | | | | | | | | | | |
| | Deloitte | | KPMG |
| Type of Fees | | 2024 | | 2023 | | 2024 | | 2023 |
| Audit Fees | | $ | 1,785,000 | | | $ | 1,554,000 | | | $ | 125,000 | | | $ | 845,234 | |
| Audit-Related Fees | | 167,000 | | | 245,000 | | | 250,000 | | | 31,500 | |
| Tax Fees | | — | | | — | | | 621,770 | | | 618,908 | |
| All Other Fees | | 76,000 | | | 76,000 | | | — | | | — | |
| Total Fees | | $ | 2,028,000 | | | $ | 1,875,000 | | | $ | 996,770 | | | $ | 1,495,642 | |
In accordance with the SEC’s definitions and rules, "audit fees" are fees for professional services in connection with the audit of Triton’s Consolidated Financial Statements included in its Annual Report, and for services that are normally provided in connection with statutory and regulatory filings or engagements; "audit-related fees" are fees for services reasonably related to the performance of the audit, other than "audit fees"; "tax fees" are fees for tax compliance and tax advice; and "all other fees" are fees for any services not included in the first three categories, which were principally comprised of agreed upon procedures related to various debt issuances and ongoing debt compliance.
Policy on Audit Committee Pre-Approval of Audit and Permissible Non-Audit Services of Independent Accountant
The Audit Committee’s policy is to pre-approve all audit and permissible non-audit services provided by the Company’s independent registered public accounting firm. These services may include audit services, audit-related services, tax services and other services. Pre-approval is generally provided for up to one year and any pre-approval is detailed as to the particular service or category of services and is generally subject to a specific budget. Deloitte and management are required to periodically report to the Audit Committee regarding the extent of services provided by Deloitte in accordance with this pre-approval, and the fees for the services performed to date. The Audit Committee may also pre-approve particular services on a case-by-case basis. All of the services relating to the fees set forth on the above table were pre-approved by the Audit Committee.
ITEM 16D. EXEMPTIONS FROM THE LISTING STANDARDS FOR AUDIT COMMITTEES
The disclosure required by Rule 10A-3(d) under the Exchange Act regarding exemption from the listing standards for audit committee is not applicable to the Company’s Audit Committee.
ITEM 16E. PURCHASES OF EQUITY SECURITIES BY THE ISSUER AND AFFILIATED PURCHASERS
None.
ITEM 16F. CHANGE IN REGISTRANT'S CERTIFYING ACCOUNTANT
None.
ITEM 16G. CORPORATE GOVERNANCE
Our common shares are wholly owned by a subsidiary of Brookfield Infrastructure. In addition, only our preference shares are listed on the NYSE. As a controlled company with only preference shares listed on the NYSE, we qualify for and rely on exemptions from certain of the NYSE listing rules, corporate governance requirements and provisions of the Exchange Act, including the rules requiring that:
•a majority of our board of directors consist of independent directors;
•we maintain a nominating committee and compensation committee composed entirely of independent directors;
•we maintain a code of conduct and ethics and corporate governance guidelines; and
•we comply with the proxy solicitation rules under the Exchange Act, including the furnishing of an annual proxy or information statement.
For additional information, refer to Item 3.D, "Risk Factors" - "As a controlled company with only preference shares listed on the NYSE, we qualify for and rely on exemptions from certain corporate governance requirements. Holders of our preference shares will not have the same protections afforded to shareholders of companies that are subject to such requirements."
Furthermore, we are a "foreign private issuer" under applicable U.S. federal securities laws. Accordingly, we are permitted to follow certain corporate governance rules that conform to Bermuda requirements in lieu of certain NYSE corporate governance rules applicable to U.S. domestic listed companies. A general summary of those differences is provided below. Also refer to Item 3.D, "Risk Factors" - "We are a "foreign private issuer under U.S. securities law. Therefore, we are exempt from many of the requirements applicable to U.S. domestic registrants."
Independence of Directors
The NYSE requires that the board of directors of domestic listed companies be comprised of a majority of independent directors. We are not required under Bermuda law to maintain a board of directors with a majority of independent directors, and as of the date of this Annual Report, our Board is not comprised of a majority of independent directors.
Non-Management Directors’ Executive Sessions
The NYSE requires that non-management directors of domestic listed companies meet at regularly scheduled executive sessions without management. Under Bermuda law, we are not required to hold such meetings.
Compensation Committee
The NYSE requires domestic listed companies to have a compensation committee comprised entirely of independent directors and a committee charter specifying the purpose, duties and evaluation of the committee. While we have a standing Compensation Committee that operates pursuant to a compensation committee charter, we are not required to do so and the members of the Compensation Committee are not independent.
Nominating / Corporate Governance Committee
The NYSE requires that a domestic listed company have a nominating/corporate governance committee comprised entirely of independent directors and a committee charter specifying the purpose, duties and evaluation procedures of the committee. Consistent with our status as a foreign private issuer and Bermuda law, we do not have a nominating/corporate governance committee.
Audit Committee
The NYSE requires, among other things, that a domestic listed company have an audit committee with a minimum of three independent members. Our Audit Committee need not comply with the NYSE’s requirements that the audit committee have a minimum of three members or the NYSE’s standards of independence for domestic issuers. As permitted by Rule 10A-3 under the Exchange Act, our Audit Committee consists of one member of our Board who qualifies as independent under Rule 10A-3.
In addition, the NYSE requires that audit committees of domestic listed companies serve a number of functions in addition to overseeing the company’s financial reporting, engaging auditors and assessing their independence, and obtaining the legal and other professional advice of experts when necessary. Foreign private issuers such as us are exempt from these additional requirements if home country practice is followed. Bermuda law does not impose similar requirements, and consequently, we are not required to comply with these requirements, and certain of these additional functions may be performed by our Board as a whole rather than by the Audit Committee.
Corporate Governance Guidelines and Code of Business Conduct
The NYSE requires domestic listed companies to adopt and disclose corporate governance guidelines and a code of business conduct addressing specified requirements. The corporate governance guidelines must address, among other things: director qualification standards, director responsibilities, director access to management and independent advisers, director compensation, director orientation and continuing education, management succession and an annual performance evaluation of the Board. We are not required to adopt such corporate governance guidelines under Bermuda law and do not maintain such guidelines.
Additionally, while as a foreign private issuer we are not required to adopt a code of business conduct, nonetheless, we have adopted codes of conduct as described under Item 16.B, "Code of Ethics."
Differences in Corporate Law
We are incorporated under, and are governed by, the laws of Bermuda. For a summary of certain of the differences between provisions of Bermuda law applicable to us and the laws generally applicable to U.S. companies and their shareholders, refer to Item 10.B, "Memorandum and Articles of Association."
ITEM 16H. MINE SAFETY DISCLOSURE
Not applicable.
ITEM 16I. DISCLOSURE REGARDING FOREIGN JURISDICTIONS THAT PREVENT INSPECTIONS
Not applicable.
ITEM 16J. INSIDER TRADING POLICIES
We have adopted an insider trading policy that is designed to promote compliance with applicable securities laws and regulations. The policy governs the purchase, sale and other dispositions of our securities, and the securities of other companies while in the possession of material non-public information, by our directors, officers and employees, as well as our consultants, contractors and temporary staff. A copy of Triton’s Insider Trading Policy is filed as an exhibit to this Annual Report.
ITEM 16K. CYBERSECURITY
Triton maintains a cybersecurity risk management program designed to identify, protect, detect and mitigate cybersecurity threats and ensure the reliability of our system applications and infrastructure (our "Information Security Program"). Our Information Security Program, which is integrated within the Company’s enterprise risk management framework, leverages recognized best practices and standards, including the National Institute of Standards and Technology cybersecurity framework, and is comprised of a robust set of cybersecurity tools, processes and procedures as further described below.
Our internal information security team is led by Triton’s Chief Information Officer, who has held this role for 15 years and holds over 30 years of experience in information technology, audit and risk management and holds certifications as a Certified Information Systems Security Professional, Certified Fraud Examiner and Certified Information Systems Auditor. Our Director, Information Security and Compliance holds over nine years of experience in cybersecurity management and oversight and over 20 years in information technology portfolio, program and application management positions. Additionally, others in our information technology team have relevant security experience and certifications. Our internal resources are augmented by external cybersecurity partners, including those described below. Our information security leadership team is responsible for assessing and managing the Company’s Information Security Program, informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. We also take a cross-departmental approach to managing cybersecurity risk and have formed a Cybersecurity Incident Response Team ("CIRT") comprised of senior representatives from primary corporate functions as well as senior representatives from field operations to ensure a coordinated and effective response and ongoing business continuity in the face of cybersecurity threats and incidents.
Triton’s Board is responsible for oversight of information technology and cybersecurity-related matters and monitoring cybersecurity risk management, and the Board actively engages with senior management on the state of the Company’s Information Security Program. The information security leadership team prepares briefings for the Board on the effectiveness of the Company’s cyber risk management program, typically on a quarterly basis, which include a review of key performance indicators, training and test results and related remediation, and recent threats and how the Company is managing those threats.
Triton’s Information Security Program includes policies and procedures concerning cybersecurity matters, which include a cybersecurity incident response plan as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to password standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of electronic devices, electronic communications and social media. We perform routine vulnerability scanning of our network, with a focus on timely remediation of vulnerabilities. Our information security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. We periodically perform simulations and tabletop exercises at an information technology department and CIRT level and incorporate external resources and advisors as needed. All employees and certain contractors are required to complete cybersecurity trainings annually. We conduct cybersecurity phishing exercises, and follow-up training as necessary, to ensure employees maintain a high level of vigilance regarding cybersecurity risks. Using external resources, we also conduct periodic cybersecurity risk assessments, penetration tests and internal threat testing to assess our processes and procedures and the threat landscape and help guide and prioritize our cybersecurity investments and solutions. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Triton maintains dedicated backup systems and applications with enhanced ransomware protection features. In the event of an incident, we intend to follow our detailed incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying relevant functional areas, as well as senior leadership and the Board, as appropriate. We also maintain incident response service retainers with independent third parties to assist with response and recovery efforts. We continue to expand our cybersecurity investments and defenses and have implemented a managed detection and response solution operated by a third party to provide 24/7 monitoring of our global cybersecurity environment and assist with coordination, investigation and remediation of alerts.
Triton faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. Although such risks have not materially affected us to date, Triton has experienced, and will continue to experience, cyber incidents in the normal course of its business. For more information on the
cybersecurity risks we face, refer to Item 3.D, "Risk Factors" - "We rely on our information technology systems to conduct our business. If these systems fail to adequately perform their functions, or if we experience an interruption in our operations, our business and financial results could be adversely affected" and "Security breaches and other disruptions could compromise our information technology systems and expose us to liability, which could cause our business and reputation to suffer" in this Annual Report.
