BlackRock Capital Investment Corp - (BKCC)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

The Company is externally managed by the Advisor and has no employees or internal information systems. Thus, the Company relies on the Advisor, BlackRock, Inc. (“BlackRock”) as well as the custodian and other service providers to protect the Company's information from cybersecurity threats. The Company’s chief compliance officer (the “CCO”) oversees the Company's risk management policies and procedures related to cybersecurity risks, subject to the oversight of the Board of Directors. The CCO and the Advisor also review key Company service providers’ compliance and risk management policies and procedures related to cybersecurity matters, evaluate such service providers’ use of information systems, which have the potential to subject the Company to information technology vulnerabilities, and receive reports from the Company’s service providers regarding any cybersecurity threats and incidents.

Specifically, the Company relies on the enterprise risk management (“ERM”) framework of BlackRock, Inc. (“BlackRock”) for the Company’s cybersecurity risk management and strategy. The Board of Directors of the Company periodically receives reports from BlackRock and from the Advisor regarding BlackRock’s cybersecurity program. Key aspects of the ERM framework are summarized below.

BlackRock’s Enterprise Risk Management Framework

BlackRock recognizes the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. Cybersecurity represents an important component of BlackRock’s approach to ERM. BlackRock leverages a multi-lines-of-defense model with cybersecurity operational processes executed by global information security and other teams and dedicated internal audit technology and technology risk management (“TRM”) teams that independently review technology risks. BlackRock’s cybersecurity program is fully integrated into its ERM framework and is aligned with recognized frameworks, including NIST CSF, FFIEC CAT, FedRAMP, SOC 1/2, ISO 27001/2 and others. BlackRock aims to inform and continuously improve its cybersecurity program through engagement with regulatory, client, insurer, vendor, partner, peer, government and industry organizations and associations, as well as external audit, technology risk, information security and other assessments.

BlackRock seeks to address cybersecurity risks through a global, multilayered strategy of control programs that is designed to preserve the confidentiality, integrity and availability of the information that BlackRock collects and stores by identifying, preventing and mitigating cybersecurity threats and incidents. As one of the critical elements of BlackRock’s overall ERM framework, BlackRock’s cybersecurity program is focused on the following key areas:

Governance: As discussed in more detail under the heading “BlackRock’s Cybersecurity Governance” below, the oversight by BlackRock’s board of directors (BlackRock’s Board”) of cybersecurity risk management is supported by BlackRock’s Risk Committee, which regularly interacts with BlackRock’s risk management function, BlackRock’s Chief Risk Officer (“CRO”) and Chief Information Security Officer (“CISO”), along with other members of management. In addition, technology and cybersecurity risks are formally overseen by a dedicated management risk governance committee, the Technology Risk and Cybersecurity Committee (“TRCC”), which is a sub-committee of the firmwide Enterprise Risk Committee (“ERC”).
Cross-Functional Approach: BlackRock has implemented a global, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing layered preventative, detective, reactive and recovery controls to identify and manage cybersecurity risks.
Safeguards: BlackRock deploys a range of people, process and technical controls that are designed to protect BlackRock’s information systems from cybersecurity threats, which may include, among others: physical security controls; perimeter controls, including technical assessments, firewalls, network segregation, intrusion detection and prevention; tabletop exercises, ongoing vulnerability and patch management; vendor due diligence; multi-factor authentication; device encryption; application security, code testing and penetration testing; endpoint security, including anti-malware protection, threat intel and response, managed detection and response, security configuration management, portable storage device lockdown, restricted administrative privileges; employee awareness, training, and phishing testing; data loss prevention program and monitoring; information security incident reporting and monitoring; and layered and comprehensive access controls.
Incident Response and Recovery Planning: BlackRock has established and maintains incident response and recovery plans that address the Company's response to a cybersecurity incident, including processes designed to assess, escalate, contain, investigate and remediate the incident, as well as to comply with applicable legal obligations and mitigate potential reputational damage. Such plans are evaluated on a periodic basis.
Third-Party Risk Management: BlackRock maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, counterparties and clients, as well as the systems of third parties

64


 

that could significantly and adversely impact BlackRock’s business in the event of a cybersecurity incident affecting those third-party systems. Operational incidents can arise as a result of failures by third parties with which BlackRock does business, such as failures by internet, communication technology and cloud service providers or other vendors to adequately follow processes and procedures, safeguard their systems or prevent system disruptions or cyber-attacks. Third-party risks are included within BlackRock’s ERM framework, and risk identification and mitigation are supported by BlackRock’s cybersecurity program. BlackRock also performs diligence on certain third parties and monitors cybersecurity threats and risks identified through such diligence..
Education and Awareness: BlackRock’s employees and contractors are required to complete an annual information security training to equip them with effective tools to address cybersecurity threats, and to receive communications on BlackRock’s evolving information security policies and procedures.

BlackRock’s global information security team, in collaboration with the technology risk and internal audit teams, engages in the periodic assessment and testing of BlackRock’s cyber risks and cybersecurity program. These efforts may include a wide range of activities, including audits, assessments, wargames and “tabletop” exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. BlackRock also participates in financial services industry and government forums in an effort to improve both internal and sector cybersecurity defense. BlackRock regularly engages third parties and advisors to assess its cybersecurity control environment. The results of certain program and control assessments are reported to the Risk Committee, and BlackRock adjusts its cybersecurity program as appropriate based on the information provided by these assessments.

As of December 31, 2023, the Company is not aware of any cybersecurity risks that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition.

Cybersecurity Governance

The Board of Directors of the Company periodically receives reports from BlackRock and from the Advisor regarding BlackRock’s cybersecurity program. The CCO delivers quarterly reports to the Board of Directors of the Company. Team members who support the Company’s information security program have relevant educational and industry experience.

At the BlackRock parent level, BlackRock’s Board is actively engaged in the oversight of BlackRock’s risk management program. The Risk Committee assists the Board with its oversight of BlackRock’s levels of risk, risk assessment, risk management and related policies and processes, including risks arising from cybersecurity threats. The Risk Committee receives regular reports on BlackRock’s cybersecurity program, technology resilience risk management and related developments from members of our information security team, including the CISO. The Board and the Risk Committee also receive information regarding cybersecurity incidents that meet certain reporting thresholds. On an annual basis, senior members of BlackRock’s technology, risk and information security teams provide a comprehensive overview of BlackRock’s cyber risk and related programs to a joint session of the Board’s Risk and Audit Committees.

Technology and cybersecurity risks at BlackRock are also overseen by the TRCC, a dedicated management risk governance committee and sub-committee of the firmwide ERC. The chair of the TRCC is appointed by the head of Enterprise Risk Management at BlackRock and its members include the CISO as well as a broad range of senior business stakeholders across BlackRock. The TRCC is responsible for oversight of BlackRock’s technology and cybersecurity risk management practices and helps ensure that technology and cybersecurity risks remain within firmwide risk tolerances and technology and cybersecurity risk issues are escalated as appropriate to the ERC and other committees. The TRCC also reviews any relevant technology and cybersecurity risk related issues and helps ensure that they are appropriately escalated, reported, and remediated.

BlackRock’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by BlackRock’s CISO. As of December 31, 2023, the CISO had over 30 years of experience in information technology with a 25-year concentration in information security, including previously serving as the CISO at several global financial institutions, and held the Certified Information Systems Security Professional certification. The CISO works closely with the leadership team and other subject matter experts in the global cybersecurity group, who collectively have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and overseeing cybersecurity controls in technology risk and audit functions, as well as having relevant degrees and industry-leading certifications.

The CISO and members of the TRCC monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management processes described above, including the operation of BlackRock’s incident response plan.