Hamilton Lane INC - (HLNE)

10-K Filing Date: May 23, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We maintain a comprehensive cybersecurity program that includes policies and procedures designed to protect our systems, operations and data from unauthorized access, theft and destruction. We utilize a variety of protective measures as part of our cybersecurity program, including:
reviews of our network access rights and controls;
penetration testing;
patch management;
annual security awareness trainings and assessments for all employees and contingent workers;
security information and event management software to identify anomalies;
periodic security review meetings designed to identify vulnerabilities and review remediation efforts;
a vendor risk management program; and
cybersecurity tabletop exercises.

69


We also maintain a comprehensive Security Response Policy designed to inform proper escalation of non-routine cybersecurity events and to coordinate our actions across departments. The policy sets forth, among other things, the following actions in the event of a suspected security breach: incident verification by our cybersecurity team, notification of our ERM committee, notification of an incident response and disclosure team composed of members of our operations, legal, finance and compliance teams, mitigation and remediation actions, and steps to restore business continuity. Our Chief Technology Officer (“CTO”) serves as security coordinator and leads our cybersecurity and information technology team. As of March 31, 2024, no known cybersecurity threats have materially affected, or are reasonably likely to materially affect our Company, including our business strategy, cash flows, financial condition or results of operations.
We engage diligenced third parties as part of our cybersecurity program. On a periodic basis, we engage third-party auditors to assess our cybersecurity controls and procedures. We also engage reputable third-party security firms to conduct annual penetration tests of our physical and digital security. We then work to remediate critical vulnerabilities identified through these assessments.
Our cybersecurity processes are integrated into our Company’s overall risk management processes. Our CTO is a member of our ERM committee and any cybersecurity issues are immediately raised to the committee. In addition, our CTO reports to the audit committee of our board of directors bi-annually, regarding our cybersecurity program and material risks, and once annually to our full board of directors, regarding overall cybersecurity strategy.
We have a range of controls designed to identify, assess, mitigate, manage, and thereby seek to minimize the cybersecurity risks associated with the engagement of third-party service providers. Our approach is tailored based on the types of services provided and the extent and type of data accessed or processed by a third-party vendor. For critical vendors who will have access to our systems or data, we diligence their cybersecurity practices prior to engagement, including requiring responses to standardized information gathering questionnaires. We may conduct additional reviews of certain vendors depending on criticality or risk. In addition, where we consider it to be appropriate, we seek to include in our contractual arrangements with certain of our third‐party vendors provisions addressing best practices with respect to data and cybersecurity, including the right to audit and test their compliance with these contractual requirements.
For a discussion of how risks from cybersecurity threats affect our business, see “Risk Factors—Failure to maintain the security of our information technology networks, or those of our third-party service providers, or data security breaches could harm our reputation and have a material adverse effect on our results of operations, financial condition and cash flow” in Part I, Item 1A of this Form 10-K.
Cybersecurity Governance
Our board of directors has delegated oversight of the Company’s cybersecurity risks to the audit committee. The audit committee reviews the Company’s information technology and data protection strategies, oversees and assesses risk with respect to cyberattacks and data privacy matters and receives bi-annual updates from our CTO. The audit committee then provides updates and recommendations to the full board on cybersecurity matters.
On the management side, our ERM committee oversees the firm’s risk management process, which includes oversight of cybersecurity. Our CTO is a member of this committee, along with other of the most senior professionals at the firm, including our chief operating officer who is also our chief risk officer. Our CTO updates the ERM committee on cybersecurity matters on a quarterly and as-needed basis.
Our CTO has over 20 years of technology and cybersecurity-related experience. Prior to joining the Company, he was Vice President of Operations & Security at Linode, where he led systems engineering, information security & compliance, hardware research & development, and project/product management, and previously held senior positions at GE and GE Digital. He received an M.B.A from Penn State University and a B.S. in Information Sciences & Technology from Penn State University.
To support management’s role in assessing and managing cybersecurity threats, our cybersecurity team conducts periodic security review meetings designed to identify vulnerabilities and review remediation efforts. In addition, we maintain a comprehensive Security Response Policy, which sets forth various actions

70


to be taken in the event of a suspected security breach, including incident verification by our cybersecurity team, notification of our ERM committee, and mitigation and remediation actions. We also have a range of controls designed to identify, assess, mitigate, manage, and thereby seek to minimize the cybersecurity risks associated with the engagement of third-party service providers.