Goldman Sachs BDC, Inc. - (GSBD)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Cyber Risk Management and Strategy

As a part of the overall risk management system for the Company, processes are in place to assess, identify and manage material risks from cybersecurity threats. The Investment Adviser manages the Company’s day-to-day operations and has implemented a cybersecurity policy that applies to the Company and its operations. With respect to cybersecurity, the Company and the Investment Adviser rely on the systems of Goldman Sachs, its third-party service providers and the Company’s service providers.

Goldman Sachs’ cybersecurity risk management processes are integrated into its overall risk management processes. Goldman Sachs has established an Information Security and Cybersecurity Program (the “Cybersecurity Program”), administered by Technology Risk within its

61

 

 


Engineering organization, and overseen by its chief information security officer. This program is designed to identify, assess, document and mitigate threats, establish and evaluate compliance with information security mandates, adopt and apply our security control framework, and prevent, detect and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer of Goldman Sachs, provides oversight and challenge of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and risk appetite-approved operational risk limits and thresholds.

Goldman Sachs’ process for managing cybersecurity risk includes the critical components of its risk management framework, as well as the following:

Training and education, to enable Goldman Sachs employees to recognize information and cybersecurity concerns and respond accordingly;
Identity and access management, including entitlement management and production access;
Application and software security, including software change management, open source software, and backup and restoration;
Infrastructure security, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems;
Mobile security, including mobile applications;
Data security, including cryptography and encryption, database security, data erasure and media disposal;
Cloud computing, including governance and security of cloud applications, and software-as-a-service data;
Onboarding;
Technology operations, including change management, incident management, capacity and resilience; and
Third-party risk management, including vendor management and governance, and cybersecurity and business resiliency on vendor assessments.

In conjunction with third-party vendors and consultants, Goldman Sachs performs risk assessments to gauge the performance of the Cybersecurity Program, to estimate its risk profile and to assess compliance with relevant regulatory requirements. Goldman Sachs performs periodic assessments of control efficacy through its internal risk and control self-assessment process, as well as a variety of external technical assessments, including external penetration tests and “red team” engagements where third parties test its defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. Goldman Sachs uses third parties, such as outside forensics firms, to augment its cyber incident response capabilities. Goldman Sachs and its third-party service providers have a vendor management program that documents a risk-based framework for managing third-party vendor relationships (including those of the Company). Information security risk management is built into our vendor management process, which covers vendor selection, onboarding, performance monitoring and risk management.

Cyber Risk Governance

The Board provides strategic oversight on cybersecurity matters generally, including oversight of material risks associated with cybersecurity threats. The Board receives periodic reports and updates from Goldman Sachs which generally include the overall state of the Cybersecurity Program, the current cybersecurity threat landscape, material risks from cybersecurity threats, cybersecurity incidents, risk management policies and/or risk assessment initiatives.

Assessment of Cybersecurity Risk

The potential impact of risks from cybersecurity threats are assessed on an ongoing basis, and how such risks could materially affect the Company’s business strategy, operational results, and financial condition are evaluated. However, despite these efforts, we cannot eliminate all cybersecurity risks or provide assurance that we have not had occurrences of undetected cybersecurity incidents. During the reporting period, the Company did not identify any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.