MONROE CAPITAL Corp - (MRCC)
10-K Filing Date: March 11, 2024
ITEM 1C. CYBERSECURITY
We rely on the cybersecurity strategy and policies implemented by Monroe Capital, the parent of both MC Advisors and MC Management that also apply to the Company. Monroe Capital’s cybersecurity strategy prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Monroe Capital’s enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. Monroe Capital’s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Monroe Capital has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information.
Monroe Capital’s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help Monroe Capital prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us, MC Advisors or MC Management. Monroe Capital’s cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks, including those which may impact us, our investment adviser or our administrator, is integrated into Monroe Capital’s enterprise risk management program, which is overseen by the Monroe Capital Operations and Risk Committee (“ORC”), as discussed below. In addition, Monroe Capital periodically engages with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents.
70
The Monroe Capital cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of MC Advisors and MC Management. Monroe Capital also has annual certification requirements for employees, including employees who provide services to us pursuant to our Investment Advisory and Management Agreement and our Administration Agreement with respect to certain policies supporting the cybersecurity program. Monroe Capital undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of Monroe Capital’s and our critical third-party vendors and other partners. Monroe Capital also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations.
In the event of a cybersecurity incident impacting us, MC Advisors or MC Management, Monroe Capital has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational functions of Monroe Capital, including coordinating with the relevant employees of MC Advisors and MC Management. The incident response plan includes notification to the applicable members of cybersecurity leadership, including Monroe Capital’s Head of Information Technology, and the Computer Security Incident Response Team (“CSIRT”), as appropriate, escalation to the full ORC and/or an internal ad hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to the audit committee or full board of directors of Monroe Capital, as well as to the Audit Committee (the “Audit Committee”) of our Board of Directors (the “Board”) and to our full Board, if appropriate.
Risk Management and Strategy
In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and store sensitive data. “Information systems” means electronic information resources that we own or use, including physical or virtual infrastructure controlled by these information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the information necessary to maintain or support our operations. Because cybersecurity threats continue to evolve, we have been required and may continue to be required to expend significant resources to continue to implement, modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Financial expenditures may also be required to meet regulatory changes in the information security and cybersecurity domains. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats. For additional discussion of the risks posed by cybersecurity threats, see “Item 1A. Risk Factors—General Risk Factors—The failure in cyber security systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning, could impair our ability to conduct business effectively.”
To address cybersecurity threats (defined as potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of those systems or any information residing in those systems therein), we have a implemented an incident and event response program. That program is a component of our overall enterprise risk management and business continuity frameworks. We employ an in-depth, layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity relative to our information systems, as well as to report on any suspected advanced persistent threats. The program is designed to allow for the detection and timely and efficient recovery from cybersecurity incidents (defined as a violation or imminent threat of violation of information security policies, acceptable use policies, or standard computer security practices) and events by providing a well-defined, organized approach for handling any potential threats to the confidentiality, integrity, and/or availability of our information systems.
The CSIRT maintains overall responsibility for addressing and resolving incidents that occur at Monroe Capital. The CSIRT: (i) coordinates efforts in response to incidents; (ii) manages the assessment, recovery, and remediation efforts related to incidents; (iii) manages communication, both internal and external, regarding incidents; and (iv) manages notification of regulatory bodies as required by law in response to incidents.
We contract with a third-party vendor (oversight for which is outlined in our Vendor Risk Management Policy) who monitors our information systems for suspicious activity, such as unauthorized intrusions. Suspected or confirmed threats, incidents, or events, however, also may be reported by employees, intrusion detection systems, third-party servicers, or government entities. Once reported, cybersecurity incidents are to be brought to the attention of the Head of Information Technology, the ORC and the CSIRT, which provides status updates to the Information Security Committee (“ISC”), with the frequency of such updates depending upon the perceived threat level of the reported incident.
71
After receiving notice of a cybersecurity threat, such threats are investigated to determine whether an actual incident has occurred and, if so, whether a more thorough assessment by the entire ISC is appropriate. During these assessments, steps may be taken to isolate affected systems. Outside advisors may be employed regarding the cybersecurity threat, including to conduct legal and forensic investigations and work with other third parties who might be engaged to assist in any response and associated publicity.
During or at the conclusion of an assessment of a cybersecurity incident, we will respond to the incident. The response
will vary based upon the severity of the incident or event. The Head of Information Technology will note the classification of the information potentially impacted, paying close attention to information classified as personally identifiable information and sensitive. The Head of Information Technology and appropriate personnel will determine whether the incident is likely to affect ongoing business operations. If such is the case (e.g., contamination is widespread across production systems), Monroe Capital’s Incident Response Plan and Business Continuity Plan shall be invoked, as necessary. In determining the level of response, we have identified three criticality levels of incidents and events based upon the following criteria:
•Risk to confidential data
•Risk to business continuity
•Risk to critical systems
•Revenue impact
•Client impact
Incident and risk event levels each vary from level 3 (or low) risk to level 1 (high) risk. The determination of the incident and risk level will dictate the level of personnel that will be responsible for addressing the incident, controlling the effects of the incident and formulating the response to the incident. Responses may include, when appropriate and/or required, notification to regulatory agencies (e.g., SEC), authorities (e.g., F.B.I., Department of Justice), clients, third parties or internal personnel.
The CSIRT is responsible for incident reporting and response. The action steps taken, beyond notification, are typically accomplished with the assistance of the IT department. The Head of Information Technology or CSIRT team member will work with the appropriate personnel to respond to the incident (following written guidelines) and to ensure concurrent documentation of the same. Should a breach occur at a third party that has a material impact on Monroe Capital, the CSIRT must be notified.
Following a cybersecurity incident, and during its investigation and the formulation of a response, our processes also envision measures designed to contain and/or eradicate the incident and prevent further effects. Once it is determined that the incident has been resolved, we then work to establish appropriate controls (if applicable) to address similar future events and/or prevent another similar event from occurring in the future. To date, we have not experienced any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
Governance
Our cybersecurity program is managed by Monroe Capital’s dedicated internal cybersecurity team, which is responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The team is led by Monroe Capital’s Head of Information Technology, who has a bachelor’s degree in systems engineering and over 12 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures. The CSIRT includes members of Monroe Capital’s senior executive management, including its Chief Operating Officer, Chief Compliance Officer and the Head of Information Technology, who acts as chairperson of the ISC. The ISC is comprised of Monroe Capital’s Head of Information Technology, Chief Operating Officer and Chief Compliance Officer. The purpose of the ISC is to protect Monroe Capital’s technology, data and information, and the ISC is tasked with responding to technology and data security incidents. The ORC is a cross-functional committee that governs and oversees the Monroe Capital enterprise risk management program, including cybersecurity. The ORC includes members of Monroe Capital’s senior executive management, including its Chief Compliance Officer, Chief Operating Officer, Chief Credit Officer, President & Co-Portfolio Manager, Chief Financial Officer of Management Company and Chief Financial Officer of Investment Funds, who acts as chairperson of the ORC. The ORC, through regular consultation with the Monroe Capital internal cybersecurity team and employees of MC Advisors and MC Management, assesses, discusses, and prioritizes Monroe Capital’s approach to high-level risks, mitigative controls and ongoing cybersecurity efforts.
72
As part of its oversight responsibilities over risks and controls, the Board is ultimately responsible for overseeing our cyber and information security risks. The Audit Committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. Members of the ORC and other Monroe Capital personnel periodically report to our Audit Committee as well as our full Board, as appropriate, on cybersecurity matters. Such reporting includes updates on Monroe Capital’s cybersecurity program as it impacts us, the external threat environment, and Monroe Capital’s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Monroe Capital’s preparedness, prevention, detection, responsiveness and recovery with respect to cybersecurity incidents.
Material Impact of Cybersecurity Risks
As of the date of this annual report on Form 10-K, we are not aware of any material risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations, or financial condition. However, future incidents could have a material impact on our business. Additional information about the cybersecurity risks that we face is discussed in Item 1A of Part I, “Risk Factors” in this annual report on Form 10-K under the heading “The failure in cybersecurity systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning, could impair our ability to conduct business effectively.”