Main Street Capital CORP - (MAIN)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
The Company maintains, and routinely reviews and evaluates its information technology (“IT”) and cybersecurity policies, practices and procedures (our “Cybersecurity Program”). The Cybersecurity Program has various policies and procedures including a Cyber Incident Response Plan as part of the Company’s Crisis Management Plan. Our Cybersecurity Program is administered by our IT Manager, who is managed on a day to day basis by our General Counsel and Chief Compliance Officer and overseen by our IT Steering Committee consisting of our Chief Executive Officer, our Chief Financial Officer and Chief Operating Officer and our General Counsel and Chief Compliance Officer. Our General Counsel and Chief Compliance Officer also serves as the crisis response team leader in connection with any material cybersecurity incident under the Cyber Incident Response Plan. We also utilize the services of IT and cybersecurity advisers, consultants and experts in the evaluation and periodic testing of our IT and cybersecurity systems, to recommend improvements to our Cybersecurity Program and in connection with any cybersecurity incident. We believe that the individuals involved in our Cybersecurity Program possess the necessary skills, experience and backgrounds that, when combined with the resources of our external IT and cybersecurity advisers, consultants and experts, are sufficient to manage our Cybersecurity Program.
As part of our overall risk management process, our management engages at least annually in an enterprise risk management review and evaluation, during which management reviews the principal risks relating to our business and operations. Included in this process is a review and evaluation of our risks relating to our Cybersecurity Program. Additionally, as part of our Rule 38a-1 compliance program, we review at least annually the compliance policies and procedures of our key service providers, including documentation discussing each service providers’ information security and privacy controls. Any failure in our or our key service providers’ cybersecurity systems could have a material impact on our operating results. See Item 1A. Risk Factors — General Risk Factors — The failure in cybersecurity systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning could impair our ability to conduct business effectively.
Our Board as a whole has responsibility for the Company’s risk oversight, with reviews of certain areas being conducted by the relevant Board committees that report on their deliberations to the full Board. The oversight responsibility of the Board and its committees is enabled by management reporting processes that are designed to provide visibility to the Board about the identification, assessment and management of critical risks and management’s risk mitigation strategies. Areas of focus include competitive, economic, operational, financial (accounting, credit, liquidity and tax), legal, regulatory, compliance and other risks.
45
Oversight of risks relating to IT and cybersecurity has been delegated by our Board to its Audit Committee. The Audit Committee includes members of the Board who, in addition to each being designated as an “audit committee financial expert,” possess backgrounds and experience which we believe enable them to provide effective oversight of our IT and cybersecurity risks. Our management routinely reports to the Audit Committee on the status of the Company’s Cybersecurity Program at the Audit Committee’s quarterly meetings. Routine reports generally detail any testing, observations or developments concerning the Cybersecurity Program that occurred during the prior quarter. The results of periodic testing related to the Cybersecurity Program are also described in the Chief Compliance Officer’s annual report to the Board, provided pursuant to Rule 38a-1 under the 1940 Act. The crisis response team leader also collaborates with the Audit Committee chair to ensure that the Board is apprised of any material cybersecurity incident and consults with the Audit Committee chair in connection with any material decisions or actions related thereto.