We rely on cybersecurity strategies and policies (the “Cybersecurity Policy”) concomitantly implemented alongside the Adviser.

Oversight Responsibilities and Profile

Our Chief Compliance Officer (the “CCO”) serves as our primary policy-driver on cybersecurity, while our Chief Executive Officer (the “CEO”) is the overseer of cybersecurity risk management on a day-to-day basis. The CCO has worked in asset management compliance for over 20 years and led in-house and outsourced compliance programs for a range of advisers and BDCs. The CEO presently has over 25 years of direct experience in leveraged finance, principal investing, portfolio management, due diligence, and business operations executive management and ownership. Throughout those periods, the CCO and CEO have maintained high standards for risk reporting and compliance with key cybersecurity policies to ensure the appropriate retention and use of sensitive customer information. The CEO is supported in this role through a network of service providers that monitor and alert to any pertinent cybersecurity risks, highlight new industry standards and best practices for protecting client data, and engage in the use of cybersecurity protection products that substantially reduce both the expected severity and overall likelihood of a cybersecurity breach for the Company. The CCO is part of a service organization that includes a cybersecurity practice and for benchmarking purposes has access to a range of peers engaged to provide oversight and consulting to the financial services industry.

Board Oversight

Management of the cybersecurity program provided by the CEO on a day-to-day basis is further enhanced through oversight by the CCO, who provides an overview of cybersecurity program and risks to the Board as part of regular reporting. Management of the Company provides updates on cybersecurity to the Board on at least a quarterly basis, and on an ad hoc basis should a significant cybersecurity risk event occur. The Board receives assistance with cybersecurity risk oversight from our regularly retained compliance consulting firm, which provides substantial risk-based analysis and quarterly testing as part of developing quarterly board reports for the Board’s review. In addition to reviewing any significant cybersecurity risk events, the Board will help facilitate and approve appropriate responses to such events (should they occur), and approve any policies and procedures developed to prevent the occurrence of such events in the future.

Risk Management

All executive officers of the Company are considered “Covered Persons” per the Cybersecurity Policy. The Cybersecurity Policy requires all Covered Persons to undergo training on fundamental steps to protect electronically stored information, including, but not limited to:

Our cybersecurity strategy is to first seek to minimize the level of inherent risk of our environment through decentralization, cloud-based redundancy, user segregation of sensitive information and outsourcing functions that require an extensive technology footprint. We do not make use of in-house developed applications and on-premises systems or hardware beyond end-user devices, thereby reducing maintenance requirements and potential vulnerabilities. Outsourced functions include data storage, electronic communications, network maintenance, fund custodian and fund administrator services. Service providers are judiciously selected and sourced from trusted referrals subject to further due diligence, such as reviews of systems and organization controls (“SOC”) reports and policies and procedures of the potential service provider.

With respect to monitoring risks that cannot be outsourced, we rely on a third-party cyber-risk service provider to assist in maintaining network security, monitor potential threats, and otherwise provide year-round support for any as-needed risk management services. Any service providers we retain that receive or have access to electronic information must demonstrate, upon request by the CCO, appropriate safeguards for client information as required by relevant data privacy laws and regulations.

Cybersecurity Incidents and Response Plan

To date, we have not experienced or otherwise identified any cybersecurity incident which had or would have had a material impact on our operations or financial results. While our clean history regarding cybersecurity incidents could be subject to change with evolving threats or developing technologies, we maintain substantial controls in place such that even if we should experience a cybersecurity threat, an appropriate response will ensure that appropriate action steps are taken to protect client information and appropriately inform customers of any risk exposure.

During or at the conclusion of an assessment of a cybersecurity incident, we will respond to the incident. The response will vary based upon the severity of the incident or event. The CEO, in consultation with the Chief Financial Officer (“CFO”) and CCO as needed, will determine whether the incident is likely to affect ongoing business operations. In determining the level of response, we focus on the following criteria: 

Once it is determined that a cybersecurity incident has been resolved, we will then work to establish appropriate controls (if applicable) to address or prevent similar future events. Such additional controls will be developed in concert with management and will be reviewed for the propriety of the response in line with the above-stated focus criteria during quarterly Board meetings.