New Mountain Finance Corp - (NMFC)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We rely on the cybersecurity policies and procedures implemented by New Mountain Capital. New Mountain Capital has processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of controls, processes, systems, and tools that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting our data. Pursuant to New Mountain Capital’s Information Security Program, the New Mountain Capital Information Technology Steering Committee (“ITSC”) is responsible for the development, evolution, and implementation of policies and technical measures to reasonably prevent security incidents. At times New Mountain Capital may also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.
New Mountain Capital uses processes to oversee and identify material risks from cybersecurity threats, including those associated with the use of third-party service providers. Additionally, New Mountain Capital uses systems and processes designed to reduce the impact of a security incident at a third-party service provider. As part of its risk management process, New Mountain Capital also maintains an incident response plan that is utilized when cybersecurity incidents impacting us, our Investment Adviser, or our Administrator are detected. New Mountain Capital also requires that all employees, including employees of the Investment Adviser and Administrator, complete interactive security awareness training on an annual basis.
Material Impact of Cybersecurity Risks
As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, future incidents could have a material impact on our business. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “The failure of cybersecurity protection systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning, could impair our ability to conduct business effectively,” which should be read in conjunction with the information above.
Governance
Our cybersecurity risks and associated mitigations are evaluated by our management and the ITSC as needed, but no less frequently than annually. Management and representatives of the ITSC periodically report to our board of directors on developments to the information security and cybersecurity risks we face. Reports include, among other things, an overview of New Mountain Capital’s controls and procedures related to assessing, identifying, and managing risks related to cybersecurity threats, oversight of third-party service providers and related cybersecurity threats, and management’s evaluation of cybersecurity risks material to us.
52