CION Investment Corp - (CION)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity
Assessment, Identification and Management of Material Risks from Cybersecurity Threats
We rely on the cybersecurity strategy and policies implemented by CIG, the parent of CIM, which is our investment adviser and our administrator. CIG’s cybersecurity strategy prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. CIG’s enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. CIG’s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. CIG has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information.
55
CIG’s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help CIG prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us or CIM. CIG’s cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. In addition, CIG may periodically engage with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents.
The CIG cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training, including for employees of CIM. CIG also has annual certification requirements for employees, including employees who provide services to us pursuant to our investment advisory agreement and our administration agreement with respect to certain policies supporting the cybersecurity program, including CIG’s Information Security Policy, Business Continuity, Disaster Recovery and Cybersecurity Plan, and Privacy Policy. CIG undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of CIG’s and our critical third-party vendors and other partners. We depend on and engage various third parties, including suppliers, vendors, and service providers. Our risk management, legal, information technology, and compliance personnel identify and oversee risks from cybersecurity threats associated with our use of such third parties. CIG also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations.
In the event of a cybersecurity incident impacting us or CIM, CIG has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational functions of CIG, including coordinating with the relevant employees of CIM. The incident response plan includes notification to the applicable members of cybersecurity leadership. Depending on their nature, incidents may also be reported to the audit committee of our board of directors and to our full board of directors, if appropriate.
Material Impact of Cybersecurity Risks
The potential impact of risks from cybersecurity threats are assessed on an ongoing basis, and how such risks could materially affect our business strategy, operational results, and financial condition are regularly evaluated. In the last three fiscal years, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that we believe have materially affected, or are reasonably likely to materially affect, us, including our business strategy, operational results, and financial condition. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors— General Risk Factors—Cybersecurity failures and data security incidents could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results.”
Oversight of Cybersecurity Risks
Our board of directors provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. Our board of directors receives periodic updates from our Chief Compliance Officer regarding the overall state of our cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents. These reports also include updates on our preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.
Our management, including our Chief Compliance Officer, and members of CIG’s information technology team, are responsible for assessing and managing material risks from cybersecurity threats. Such individuals possess relevant expertise in various disciplines that are key to effectively managing such risks, such as information systems technology, cybersecurity, regulatory compliance and corporate governance. Our management and members of CIG’s information technology team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents, including through the receipt of notifications from service providers and reliance on communications with risk management, legal, information technology, and/or compliance personnel.