MidCap Financial Investment Corp - (MFIC)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

As an externally managed BDC, our risk management function, including cybersecurity, is governed by the cybersecurity policies and procedures of the Investment Adviser, an indirect subsidiary of AGM. AGM determines and implements appropriate risk management processes and strategies as it relates to cybersecurity for us and other affiliated entities managed by AGM, and we rely on AGM for assessing, identifying and managing material risks to our business from cybersecurity threats.

AGM’s Board of Directors is involved in overseeing AGM’s risk management program, including with respect to cybersecurity, which is a critical component of AGM’s overall approach to enterprise risk management (“ERM”). AGM’s cybersecurity policies and practices are fully integrated into its ERM framework through its reporting, risk management and oversight channels and are, in part, based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards.

As one of the critical elements of AGM’s overall ERM approach, AGM’s cybersecurity program is focused on the following key areas:

Governance. As discussed further under the heading “Cybersecurity Governance,” AGM’s Board of Directors has an oversight role, as a whole and also at the committee level, in overseeing management of AGM’s risks, including its cybersecurity risks. AGM’s Chief Information Security Officer (“CISO”) and the Chief Information Security Officer of Athene Holding Ltd. (“AHL’s CISO”), a subsidiary of AGM, with support from the broader AGM Technology team, are responsible for information security strategy, policies and practices, and also receive support, as appropriate, from our executive officers and other representatives of the Investment Adviser and its affiliates.
Collaborative Approach. AGM utilizes a cross-functional approach involving stakeholders across multiple departments, including AGM Compliance, Legal, Technology, Operations, Risk and others, aimed at identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of potentially material cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management, in consultation with our management and our Board of Directors, as applicable, in a timely manner.
Technical Safeguards. AGM deploys technical safeguards that are designed to protect its information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved on an ongoing basis using vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning. AGM has established and maintains incident response and recovery plans that address its response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.
Third-Party Risk Management. AGM maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems, as well as the systems of third parties that could adversely impact its business and the business of its externally managed entities such as our company, in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness. AGM provides regular, mandatory training for personnel regarding cybersecurity threats to equip its personnel with effective tools to help mitigate cybersecurity threats, and to communicate its evolving information security policies, standards, processes and practices.

68


 

AGM engages in the periodic assessment and testing of its policies and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of its cybersecurity measures. AGM regularly engages third parties, including auditors and consultants, to perform assessments on its cybersecurity measures, including information security maturity assessments, audits and independent reviews of its information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to AGM’s risk management function, and AGM adjusts its cybersecurity policies and practices as necessary based on the information provided by these assessments, audits and reviews.

Cybersecurity threat risks have not materially affected our company, including our business strategy, results of operations or financial condition. For further discussion of the risks we face from cybersecurity threats, including those that could materially affect us, see “Item 1A. Risk Factors—Risks Related to Our Business and Structure—Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential information, a misappropriation of funds, and/or damage to our business relationships, all of which could negatively impact our financial results.

Cybersecurity Governance

AGM’s Board of Directors’ oversight of cybersecurity risk management is supported by the audit committee of AGM’s Board of Directors (“AGM audit committee”), the AAM Global Risk Committee (“AGRC”), the Operational Risk Forum (the “ORF”), the Cybersecurity Working Group and management. AGM’s Board of Directors, AGM’s audit committee, the AGRC, the ORF and the Cyber Security Working Group receive regular updates on AGM’s information technology, cybersecurity risk profile and strategy, and risk mitigation plans from AGM’s risk management professionals, AGM's Chief Security Officer (“CSO”), the CISO, the AHL CISO, other members of management and relevant management committees and working groups. The Cyber Security Working Group is chaired by the CISO and has representation from AGM’s Technology, Legal, Compliance, and ERM teams. The group meets at least once a quarter to discuss cybersecurity and risk mitigation activities, among other topics. The CISO regularly reports to the ORF regarding cyber risk, and the ORF in turn reports to the AGRC on a quarterly basis, noting any cyber updates when necessary or appropriate. In turn, AGM’s Board of Directors and/or AGM’s audit committee receive quarterly risk updates from risk management professionals, as well as at least annual updates on cyber risk specifically. The full AGM Board of Directors or AGM’s audit committee receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, as well as from AHL’s CISO, at least annually.

AGM’s CSO holds an undergraduate degree in Management Information Systems and Business Administration, which he received magna cum laude. He has over 25 years of cyber-related experience, having served in various roles in technology and cybersecurity, including as Head of IT Risk Management, Executive Director of IT & Risk Compliance, and Global IT Risk Evaluation Lead at large financial institutions and consulting firms. He was also previously AGM’s CISO for nearly eight years. AGM’s CISO holds a master’s degree in Business Information Systems and has served in various roles in information technology and information security for over 25 years across a number of large financial institutions, including as Director, Cybersecurity and Risk.

AGM’s CISO, in coordination with the AGM Technology and ERM teams, works collaboratively across AGM to implement a program designed to protect its information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with its incident response and recovery plans. To facilitate the success of AGM’s cybersecurity risk management program, multidisciplinary teams throughout AGM are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to AGM’s audit committee or AGM Board of Directors, as appropriate.

As part of the risk management oversight (including oversight of cyber risks) of the audit committee of our Board of Directors, our audit committee regularly interacts with, and receives reports from, our management, the Investment Adviser, AGM, and

69


 

other service providers. The audit committee of our board of directors receives presentations and reports on cybersecurity risks from AGM’s CSO or CISO, at least annually, and they address a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to AGM’s peers and third parties. Additionally, AGM and other service providers periodically report to management as it relates to our cybersecurity practices.

AGM’s cybersecurity incident response plan provides for proper escalation of identified cybersecurity threats and incidents, including, as appropriate, to our management. These discussions provide a mechanism for the identification of cybersecurity threats and incidents, assessment of cybersecurity risk profile or certain newly identified risks relevant to our company, the Investment Adviser, and evaluation of the adequacy of our cybersecurity program (as coordinated through the Investment Adviser and AGM), including risk mitigation, compliance and controls.