Carlyle Secured Lending, Inc. - (CGBD)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management, Strategy and Procedures
We, our Investment Adviser and its affiliates regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, standards, processes, and practices, which are integrated into our overall risk management system. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, protect against, detect, respond to, and recover from security incidents. These efforts are implemented by Carlyle’s Global Technology & Solutions (“GTS”) team in partnership with our business, legal, and compliance teams, and are essential for us to conduct investment activities, manage internal administration activities, and connect our global enterprise. Our systems, data, network, and infrastructure are monitored and administered by formal controls and risk management processes that log events and help protect the our data. In addition, our business continuity plans are designed to allow critical business functions to continue in an orderly manner in the event of an emergency. The GTS team works closely with Carlyle’s business segment teams, including our Investment Adviser, to maintain operational resilience through business continuity planning and annual information technology disaster recovery and incident response plan testing, which collectively support the goal of mitigating risk were an emergency to occur. The GTS team has procedures in place to report cybersecurity threats or incidents on a periodic basis. These efforts are underpinned by the implementation of security best practices, where possible, such as:
•Multi-factor authentication for remote access, privileged access management for system administrators, application whitelisting, laptop encryption, and advanced malware defenses on endpoints;
•Incident preparedness and response planning and risk mitigation;
•Independent and continuous security testing, assessment and vulnerability management;
•Regular security awareness training, including phishing simulations, for Carlyle authorized users;
•Restrictions on access to personal email accounts, cloud storage, social media, risk-based categories of websites and USB storage devices;
•Device and system access management policies and procedures that restrict access upon employee or contractor separation from the company; and
•Compliance attestations by Carlyle personnel on firm policies, such as Carlyle’s acceptable use policy, upon hire and annually.
In addition, Carlyle partners with third parties to assess the effectiveness of its cybersecurity program, which includes the Company. Third party assessments will include audits and assessments performed under the direction of Carlyle’s internal audit team, which co-sources with third-party cybersecurity experts in conducting its reviews. GTS also administers Carlyle’s cyber third-party risk management program, which assesses external service providers before onboarding and provides ongoing monitoring in accordance with certain risk-based cybersecurity criteria.
To our knowledge cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. The sophistication of cyber threats continues to increase and there can be no assurance that the various procedures and controls we utilize to mitigate these threats will be sufficient to prevent disruptions to our systems. Consequently, given that the magnitude of cybersecurity incidents or threats are difficult to predict, we are unable to determine at this time whether risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For an additional description of cybersecurity risk and potential related impacts on us, see Part I, Item 1A of this Form 10-K “Risk Factors—Risks Related to Our Business and Structure—Cybersecurity risks and cyber incidents may adversely affect our business or those of our portfolio companies by causing a disruption to our operations, a compromise or corruption of confidential information and/or damage to business relationships, or those of our portfolio companies, all of which could negatively impact our business, results of operations or financial condition.”
Risk Management Oversight and Governance
Our Board of Directors oversees our enterprise risk management strategy, including our strategy on cybersecurity risks, directly and through its committees. In this respect, the Audit Committee of the Board of Directors (the “Audit
54
Committee”) oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity, and reports from Carlyle on our enterprise risk profile on an annual basis. In addition, Carlyle’s Chief Information Security Officer (“CISO”) leads our cybersecurity program, chairs Carlyle’s Information Security Steering Committee (“ISSC”), and provides cybersecurity status reporting to our Audit Committee at least annually. The ISSC meets quarterly and ensures that cybersecurity initiatives are in alignment with Carlyle’s strategic priorities.
We take a risk-based approach to cybersecurity and have implemented cybersecurity policies, standards, processes, and practices throughout our operations that are designed to address cybersecurity threats, events, and incidents. In particular, our cybersecurity program supports security governance, security awareness and training, security engineering and architecture, security risk management, vulnerability management, security monitoring, and incident response capabilities. In addition, our incident response plan contains escalation and reporting protocols, including reporting to our disclosure committee to consider materiality of cybersecurity incidents. Policies and procedures are in place to assist the disclosure committee with these materiality assessments and any resulting reporting requirements.
Carlyle’s CISO, in coordination with our Chief Financial Officer, Chief Compliance Officer, and Principal Accounting Officer, among certain other senior executives of our Investment Adviser, is responsible for leading the assessment and management of cybersecurity risks. The current Carlyle CISO has over 30 years of experience in information security and is a Certified Information Systems Security Professional. As described above, Carlyle’s CISO leads our cybersecurity program, chairs Carlyle’s ISSC that is comprised of senior management and other sector representatives, and provides cybersecurity status reporting to our Audit Committee as necessary and at least annually.