ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

As an externally managed closed-end management investment company that has elected to be regulated as a BDC under the 1940 Act, our day-to-day operations are managed by the Adviser, Administrator and our executive officers under the oversight of our Board of Directors. Our executive officers are senior professionals of the Adviser and Sixth Street and each of the Adviser and Administrator is a subsidiary of Sixth Street. As such, we are reliant on Sixth Street for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details Sixth Street has provided to us regarding its cybersecurity program that are relevant to us.

Sixth Street maintains a comprehensive cybersecurity program, including policies and procedures designed to protect its systems, operations, and the data utilized and entrusted to it, including by us, from anticipated threats or hazards. Sixth Street utilizes a variety of protective measures as a part of its cybersecurity program. These measures include, where appropriate, physical and digital access controls, patch management, identity verification and mobile device management software, employee cybersecurity awareness and best practices training programs, security baselines and tools to report anomalous activity, and monitoring of data usage, hardware and software, among others.

Sixth Street tests its cybersecurity defenses regularly through automated and manual vulnerability scanning, to identify and remediate critical vulnerabilities. In addition, it conducts annual “white hat” penetration tests to validate its security posture. Further, Sixth Street engages in cyber incident tabletop exercises and scenario planning exercises involving hypothetical cybersecurity incidents to test its cyber incident response processes. Tabletop exercises are conducted by Sixth Street’s Technology Risk team in collaboration with outside service providers as appropriate and includes members of Sixth Street’s senior management and Legal/ Compliance team. Learnings from these tabletop exercises and any events that Sixth Street experiences are reviewed, discussed, and incorporated into its cybersecurity framework as appropriate.

In addition to Sixth Street’s internal exercises to test aspects of its cybersecurity program, Sixth Street periodically engages independent third parties to assess the risks associated with its information technology resources and information assets. Among other matters, these third parties analyze data on the interactions of users of Sixth Street’s information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of the cybersecurity systems and processes.

Sixth Street has a comprehensive Security Incident Response Plan (the “IRP”) designed to inform the proper escalation (including, as appropriate, to our executive officers and other representatives of the Adviser or its affiliates) of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate the event and determine the extent of external advisor support required, including from external counsel, forensic investigators, and/or law enforcement. The IRP sets out ongoing monitoring or remediating actions to be taken after resolution of an incident. The IRP is reviewed at least annually.

Sixth Street maintains a cybersecurity risk management process to identify and mitigate risks that impact the firm. Sixth Street’s Head of Technology Risk periodically discusses and reviews cybersecurity risks and related mitigants with Sixth Street’s Cybersecurity Committee and incorporates relevant cybersecurity risk updates and metrics.

Sixth Street employs a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of data accessed or processed by a third-party vendor.

In the last three fiscal years, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on the Sixth Street and its affiliates in managing these risks, see “Part 1. Item 1A. Risk Factors – Risk Related to our Business – Cybersecurity risks and cyber incidents may adversely affect our business or those of our portfolio companies by causing a disruption to our operations, a compromise or corruption of confidential information and/or damage to

---

business relationships, or those of our portfolio companies, all of which could negatively impact our business, results of operations or financial condition” in this Annual Report on Form 10-K.

 

Cybersecurity Governance

Sixth Street has a dedicated cybersecurity team, led by its Head of Technology Risk, who works closely with Sixth Street’s Cybersecurity Committee, to develop and advance the firm’s cybersecurity strategy, which applies to us. Sixth Street’s Cybersecurity Committee includes its Chief Information Officer, Chief Risk Officer, General Counsel, Co-Chief Operating Officer and Chief Compliance Officer, as well as our Chief Financial Officer and Chief Compliance Officer.

The Head of Technology Risk has extensive experience in cybersecurity and technology and is responsible for all aspects of cybersecurity across Sixth Street. He has a B.S in Computer Science from University of Washington and has over 17 years of experience contributing to cybersecurity related workflows, processes, policies, system designs, program management, and vulnerability discovery, exploitation, mitigation, and remediation.

 

Sixth Street conducts periodic cybersecurity risk assessments, including assessments or audits of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The Head of Technology Risk reviews the cybersecurity framework annually as well as on an event-driven basis as necessary. The Head of Technology Risk also reviews the scope of the cybersecurity measures periodically, including in the event of a change in business practices that may implicate the security or integrity of Sixth Street’s information and systems.

Our Board of Directors is responsible for understanding the primary risks to our business, including any cybersecurity risks. The Board of Directors is responsible for reviewing periodically our and the Adviser’s information technology security controls and related compliance matters, with management. Sixth Street’s Head of Technology Risk reports to the Board of Directors at least annually on cybersecurity matters, including risks facing us and the Adviser and, as applicable, certain incidents. In addition to such periodic reports, the Board of Directors may receive updates from management as to our and the Adviser’s cybersecurity risks and Sixth Street cybersecurity program developments.