Goldman Sachs BDC, Inc. - (GSBD)
10-K Filing Date: February 28, 2024
Cyber Risk Management and Strategy
As a part of the overall risk management system for the Company, processes are in place to assess, identify and manage material risks from cybersecurity threats. The Investment Adviser manages the Company’s day-to-day operations and has implemented a cybersecurity policy that applies to the Company and its operations. With respect to cybersecurity, the Company and the Investment Adviser rely on the systems of Goldman Sachs, its third-party service providers and the Company’s service providers.
Goldman Sachs’ cybersecurity risk management processes are integrated into its overall risk management processes. Goldman Sachs has established an Information Security and Cybersecurity Program (the “Cybersecurity Program”), administered by Technology Risk within its
61
Engineering organization, and overseen by its chief information security officer. This program is designed to identify, assess, document and mitigate threats, establish and evaluate compliance with information security mandates, adopt and apply our security control framework, and prevent, detect and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer of Goldman Sachs, provides oversight and challenge of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and risk appetite-approved operational risk limits and thresholds.
Goldman Sachs’ process for managing cybersecurity risk includes the critical components of its risk management framework, as well as the following:
In conjunction with third-party vendors and consultants, Goldman Sachs performs risk assessments to gauge the performance of the Cybersecurity Program, to estimate its risk profile and to assess compliance with relevant regulatory requirements. Goldman Sachs performs periodic assessments of control efficacy through its internal risk and control self-assessment process, as well as a variety of external technical assessments, including external penetration tests and “red team” engagements where third parties test its defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. Goldman Sachs uses third parties, such as outside forensics firms, to augment its cyber incident response capabilities. Goldman Sachs and its third-party service providers have a vendor management program that documents a risk-based framework for managing third-party vendor relationships (including those of the Company). Information security risk management is built into our vendor management process, which covers vendor selection, onboarding, performance monitoring and risk management.
Cyber Risk Governance
The Board provides strategic oversight on cybersecurity matters generally, including oversight of material risks associated with cybersecurity threats. The Board receives periodic reports and updates from Goldman Sachs which generally include the overall state of the Cybersecurity Program, the current cybersecurity threat landscape, material risks from cybersecurity threats, cybersecurity incidents, risk management policies and/or risk assessment initiatives.
Assessment of Cybersecurity Risk
The potential impact of risks from cybersecurity threats are assessed on an ongoing basis, and how such risks could materially affect the Company’s business strategy, operational results, and financial condition are evaluated. However, despite these efforts, we cannot eliminate all cybersecurity risks or provide assurance that we have not had occurrences of undetected cybersecurity incidents. During the reporting period, the Company did not identify any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.