MidCap Financial Investment Corp - (MFIC)
10-K Filing Date: February 26, 2024
Cybersecurity Risk Management and Strategy
As an externally managed BDC, our risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of the Investment Adviser, an indirect subsidiary of AGM. AGM determines and implements appropriate risk management processes and strategies as it relates to cybersecurity for us and other affiliated entities managed by AGM, and we rely on AGM for assessing, identifying and managing material risks to our business from cybersecurity threats.
AGM’s Board of Directors is involved in overseeing AGM’s risk management program, including with respect to cybersecurity, which is a critical component of AGM’s overall approach to enterprise risk management (“ERM”). AGM’s cybersecurity policies and practices are fully integrated into its ERM framework through its reporting, risk management and oversight channels and are, in part, based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.
As one of the critical elements of AGM’s overall ERM approach, AGM’s cybersecurity program is focused on the following key areas:
68
AGM engages in the periodic assessment and testing of its policies and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of its cybersecurity measures. AGM regularly engages third parties, including auditors and consultants, to perform assessments on its cybersecurity measures, including information security maturity assessments, audits and independent reviews of its information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to AGM’s risk management function, and AGM adjusts its cybersecurity policies and practices as necessary based on the information provided by these assessments, audits and reviews.
Cybersecurity threat risks have not materially affected our company, including our business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see “Item 1A. Risk Factors—Risks Related to Our Business and Structure—Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, a misappropriation of funds, and/or damage to our business relationships, all of which could negatively impact our financial results.”
Cybersecurity Governance
AGM’s Board of Directors’ oversight of cybersecurity risk management is supported by the audit committee of AGM’s Board of Directors (“AGM audit committee”), the AAM Global Risk Committee (“AGRC”), the Operational Risk Forum (the “ORF”), the Cybersecurity Working Group and management. AGM’s Board of Directors, AGM’s audit committee, the AGRC, the ORF and the Cyber Security Working Group receive regular updates on AGM’s information technology, cybersecurity risk profile and strategy, and risk mitigation plans from AGM’s risk management professionals, AGM's Chief Security Officer (“CSO”), the CISO, the AHL CISO, other members of management and relevant management committees and working groups. The Cyber Security Working Group is chaired by the CISO and has representation from AGM’s Technology, Legal, Compliance, and ERM teams. The group meets at least once a quarter to discuss cybersecurity and risk mitigation activities, among other topics. The CISO regularly reports to the ORF regarding cyber risk, and the ORF in turn reports to the AGRC on a quarterly basis, noting any cyber updates when necessary or appropriate. In turn, AGM’s Board of Directors and/or AGM’s audit committee receive quarterly risk updates from risk management professionals, as well as at least annual updates on cyber risk specifically. The full AGM Board of Directors or AGM’s audit committee receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, as well as from AHL’s CISO, at least annually.
AGM’s CSO holds an undergraduate degree in Management Information Systems and Business Administration, which he received magna cum laude. He has over 25 years of cyber-related experience, having served in various roles in technology and cybersecurity, including as Head of IT Risk Management, Executive Director of IT & Risk Compliance, and Global IT Risk Evaluation Lead at large financial institutions and consulting firms. He was also previously AGM’s CISO for nearly eight years. AGM’s CISO holds a master’s degree in Business Information Systems and has served in various roles in information technology and information security for over 25 years across a number of large financial institutions, including as Director, Cybersecurity and Risk.
AGM’s CISO, in coordination with the AGM Technology and ERM teams, works collaboratively across AGM to implement a program designed to protect its information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with its incident response and recovery plans. To facilitate the success of AGM’s cybersecurity risk management program, multidisciplinary teams throughout AGM are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to AGM’s audit committee or AGM Board of Directors, as appropriate.
As part of the risk management oversight (including oversight of cyber risks) of the audit committee of our Board of Directors, our audit committee regularly interacts with, and receives reports from, our management, the Investment Adviser, AGM, and
69
other service providers. The audit committee of our board of directors receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, at least annually, and they address a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to AGM’s peers and third parties. Additionally, AGM and other service providers periodically report to management as it relates to our cybersecurity practices.
AGM’s cybersecurity incident response plan provides for proper escalation of identified cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of cybersecurity threats and incidents, assessment of cybersecurity risk profile or certain newly identified risks relevant to our company, the Investment Adviser, and evaluation of the adequacy of our cybersecurity program (as coordinated through the Investment Adviser and AGM), including risk mitigation, compliance and controls.