BlackRock Capital Investment Corp - (BKCC)
10-K Filing Date: March 05, 2024
Cybersecurity Risk Management and Strategy
The Company is externally managed by the Advisor and has no employees or internal information systems. Thus, the Company relies on the Advisor, BlackRock, Inc. (“BlackRock”) as well as the custodian and other service providers to protect the Company's information from cybersecurity threats. The Company’s chief compliance officer (the “CCO”) oversees the Company's risk management policies and procedures related to cybersecurity risks, subject to the oversight of the Board of Directors. The CCO and the Advisor also review key Company service providers’ compliance and risk management policies and procedures related to cybersecurity matters, evaluate such service providers’ use of information systems, which have the potential to subject the Company to information technology vulnerabilities, and receive reports from the Company’s service providers regarding any cybersecurity threats and incidents.
Specifically, the Company relies on the enterprise risk management (“ERM”) framework of BlackRock, Inc. (“BlackRock”) for the Company’s cybersecurity risk management and strategy. The Board of Directors of the Company periodically receives reports from BlackRock and from the Advisor regarding BlackRock’s cybersecurity program. Key aspects of the ERM framework are summarized below.
BlackRock’s Enterprise Risk Management Framework
BlackRock recognizes the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. Cybersecurity represents an important component of BlackRock’s approach to ERM. BlackRock leverages a multi-lines-of-defense model with cybersecurity operational processes executed by global information security and other teams and dedicated internal audit technology and technology risk management (“TRM”) teams that independently review technology risks. BlackRock’s cybersecurity program is fully integrated into its ERM framework and is aligned with recognized frameworks, including NIST CSF, FFIEC CAT, FedRAMP, SOC 1/2, ISO 27001/2 and others. BlackRock aims to inform and continuously improve its cybersecurity program through engagement with regulatory, client, insurer, vendor, partner, peer, government and industry organizations and associations, as well as external audit, technology risk, information security and other assessments.
BlackRock seeks to address cybersecurity risks through a global, multilayered strategy of control programs that is designed to preserve the confidentiality, integrity and availability of the information that BlackRock collects and stores by identifying, preventing and mitigating cybersecurity threats and incidents. As one of the critical elements of BlackRock’s overall ERM framework, BlackRock’s cybersecurity program is focused on the following key areas:
64
BlackRock’s global information security team, in collaboration with the technology risk and internal audit teams, engages in the periodic assessment and testing of BlackRock’s cyber risks and cybersecurity program. These efforts may include a wide range of activities, including audits, assessments, wargames and “tabletop” exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. BlackRock also participates in financial services industry and government forums in an effort to improve both internal and sector cybersecurity defense. BlackRock regularly engages third parties and advisors to assess its cybersecurity control environment. The results of certain program and control assessments are reported to the Risk Committee, and BlackRock adjusts its cybersecurity program as appropriate based on the information provided by these assessments.
As of December 31, 2023, the Company is not aware of any cybersecurity risks that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition.
Cybersecurity Governance
The Board of Directors of the Company periodically receives reports from BlackRock and from the Advisor regarding BlackRock’s cybersecurity program. The CCO delivers quarterly reports to the Board of Directors of the Company. Team members who support the Company’s information security program have relevant educational and industry experience.
At the BlackRock parent level, BlackRock’s Board is actively engaged in the oversight of BlackRock’s risk management program. The Risk Committee assists the Board with its oversight of BlackRock’s levels of risk, risk assessment, risk management and related policies and processes, including risks arising from cybersecurity threats. The Risk Committee receives regular reports on BlackRock’s cybersecurity program, technology resilience risk management and related developments from members of our information security team, including the CISO. The Board and the Risk Committee also receive information regarding cybersecurity incidents that meet certain reporting thresholds. On an annual basis, senior members of BlackRock’s technology, risk and information security teams provide a comprehensive overview of BlackRock’s cyber risk and related programs to a joint session of the Board’s Risk and Audit Committees.
Technology and cybersecurity risks at BlackRock are also overseen by the TRCC, a dedicated management risk governance committee and sub-committee of the firmwide ERC. The chair of the TRCC is appointed by the head of Enterprise Risk Management at BlackRock and its members include the CISO as well as a broad range of senior business stakeholders across BlackRock. The TRCC is responsible for oversight of BlackRock’s technology and cybersecurity risk management practices and helps ensure that technology and cybersecurity risks remain within firmwide risk tolerances and technology and cybersecurity risk issues are escalated as appropriate to the ERC and other committees. The TRCC also reviews any relevant technology and cybersecurity risk related issues and helps ensure that they are appropriately escalated, reported, and remediated.
BlackRock’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by BlackRock’s CISO. As of December 31, 2023, the CISO had over 30 years of experience in information technology with a 25-year concentration in information security, including previously serving as the CISO at several global financial institutions, and held the Certified Information Systems Security Professional certification. The CISO works closely with the leadership team and other subject matter experts in the global cybersecurity group, who collectively have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and overseeing cybersecurity controls in technology risk and audit functions, as well as having relevant degrees and industry-leading certifications.
The CISO and members of the TRCC monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management processes described above, including the operation of BlackRock’s incident response plan.