TriLinc Global Impact Fund LLC - (TRLI)
10-K Filing Date: March 29, 2024
Cybersecurity represents a critical component of the Company’s overall approach to risk management. The Company’s cybersecurity policies, standards and practices are fully integrated into the Company’s overall risk management approach, and cybersecurity risks are subject to oversight by the Company’s board of managers. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with specific the goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protecting the Company’s intellectual property; (iv) maintaining the confidence of our customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required.
Risk Management and Strategy
Consistent with overall Company policies and practices, the Company’s cybersecurity program focuses on the following areas:
● | Vigilance: The Company uses a reputable third-party managed service provider (“MSP”) for cybersecurity support, which has operations functioning 24/7 with the specific goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans. The Company’s MSP is staffed with several security personnel, many of which have Certified Information Systems Security Professional (“CISSP”) certifications. |
● | Systems Safeguards: The Company deploys systems safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls. In the event of a potential cybersecurity incident, the Company’s MSP has the capability to take a number of immediate steps to isolate the potential threat. |
● | Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. |
● | Training: The Company provides annual mandatory training for personnel regarding cybersecurity threats, which reinforces the Company’s information security policies, standards and practices, and such training is scaled to reflect the roles, responsibilities and information systems access of such personnel. The Company also conducts monthly “phishing” email testing for every employee and provides remedial follow-up training when necessary. |
● | Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans, in coordination with the Company’s MSP, that fully address the Company’s response to a cybersecurity incident and the recovery from a cybersecurity incident. |
● | Communication, Coordination and Disclosure: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the Company’s operations, risk management, internal audit and other key business functions, as well as the members of the board of managers in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. |
● | Governance: The board of managers’ oversight of cybersecurity risk management is supported by the Company’s Incident Response Team (the “IRT”), which is made up of the Company’s Co-Chief Information Officers, the Chief Operating Officer, and their designees. The IRT regularly interacts with the board of managers and members of management. |
Governance
The IRT, in coordination with the board of managers, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that the Company’s management implements to address risks from cybersecurity threats. Any cybersecurity incidents that are detected by the Company’s MSP are routed directly to the IRT. The board of managers receives reports on cybersecurity risks from management. The board of managers will be informed of any cybersecurity incident that is determined by the IRT to be material, and will receive ongoing updates regarding such material incident until it has been addressed. At least once each year, the board of managers and the IRT discuss the Company’s approach to cybersecurity risk management with the Company’s Co-Chief Information Officers.
The Company’s Co-Chief Information Officers are the members of the Company’s management principally responsible for overseeing the Company’s cybersecurity risk management program, in partnership with other business leaders across the Company. The Co-Chief Information Officers work in coordination with the other members of the IRT, which includes our Co-Chief Information Officers, our Chief Operating Officer, and their designees. The Company’s Co-Chief Information Officers have each served in various roles in information technology and information security for over 30 years, including in leadership positions with both small and large companies. The Co-Chief Information Security Officers each have extensive knowledge in technology and cybersecurity. The Company’s President, Chief Financial Officer, Chief Operating Officer, and Chief Compliance Officer each hold undergraduate, and, in some cases, graduate, degrees in their respective fields, and each have over 20 years of experience with managing risks at the Company and in environments similar to the Company’s, including risks arising from cybersecurity threats.
The Company’s Co-Chief Information Officers, in coordination with the IRT, work collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. The Co-Chief Information Officers and the rest of the IRT, in collaboration with the Company’s MSP, monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the board of managers when appropriate.
Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company’s business strategy, results of operations, or financial condition. See the “General Risk Factors” section in Part I, Item 1A, Risk Factors for more information about the Company’s cybersecurity risks.