ARES CAPITAL CORP 10-K Cybersecurity GRC - 2024-02-07

Page last updated on April 11, 2024

ARES CAPITAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-07 06:13:02 EST.

Filings

10-K filed on 2024-02-07

ARES CAPITAL CORP filed an 10-K at 2024-02-07 06:13:02 EST
Accession Number: 0001287750-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessment, Identification and Management of Material Risks from Cybersecurity We rely on the cybersecurity strategy and policies implemented by Ares Management, the parent of both our investment adviser and our administrator. Ares Management s cybersecurity strategy prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. Ares Management s enterprise-wide cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework. Ares Management s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Ares Management has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and we rely on those controls to help us protect our information, our information systems, and the information of our investors and other third parties who entrust us with their sensitive information. Ares Management s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help Ares prevent and timely and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us, our investment adviser or our administrator. Ares Management s cybersecurity risk management process seeks to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks, including those which may impact us, our investment adviser or our administrator, is integrated into Ares Management s Enterprise Risk Management program, which is overseen by the Ares Enterprise Risk Committee (the Ares Management ERC ), as discussed below. In addition, Ares Management periodically engages with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management programs and responding to incidents. The Ares Management cybersecurity risk management and awareness programs include periodic identification and testing of vulnerabilities, regular phishing simulations and annual general cybersecurity awareness and data protection training including for employees of our investment adviser and our administrator. Ares Management also has annual certification requirements for employees, including employees who provide services to us pursuant to our investment advisory and management agreement and our administration agreement with respect to certain policies supporting the cybersecurity program including Ares Management s Information Security and Electronic Communications policy, Data Protection policy and Privacy Policy. Ares Management undertakes periodic internal security reviews of our information systems and related controls, including systems affecting personal data and the cybersecurity risks of Ares Management s and our critical third-party vendors and other partners. Ares Management also completes periodic external reviews of its cybersecurity program and practices, which include assessments of relevant data protection practices and targeted attack simulations. In the event of a cybersecurity incident impacting us, our investment adviser, or our administrator, Ares Management has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational functions of Ares Management, including coordinating with the relevant employees of our investment adviser and our administrator. The incident response plan includes notification to the applicable members of cybersecurity leadership, including Ares Management s Chief Information Security Officer ( CISO ), and, as appropriate, escalation to the full Ares Management ERC and/or an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to the audit committee or full board of directors of Ares Management, as well as to the Audit Committee (the Audit Committee ) of our Board of Directors (the Board ) and to our full Board, if appropriate. Material Impact of Cybersecurity Risks In the last three fiscal years, we have not experienced a material information security breach incident and the expenses we have incurred from information security breach incidents have been immaterial, and we are not aware of any cybersecurity 51 risks that are reasonably likely to materially affect our business. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. Risk Factors General Risk Factors Cybersecurity failures and data security incidents could adversely affect our business by causing a disruption to our operations, a compromise or corruption of our confidential, personal or other sensitive information and/or damage to our business relationships or reputation, any of which could negatively impact our business, financial condition and operating results. Oversight of Cybersecurity Risks Our cybersecurity program is managed by Ares Management s dedicated internal cybersecurity team, which is responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The team is led by Ares Management s CISO who has a Master s degree in Cybersecurity from Brown University and over 25 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures. The Ares Management CISO is also a member of the Ares Management ERC. The Ares Management ERC is a cross-functional committee that governs and oversees the Ares Management Enterprise Risk Program, including cybersecurity. The Ares Management ERC includes members of Ares Management s senior executive management, including its CEO, CFO, General Counsel, Global Chief Compliance Officer, Chief Information Officer, CISO, and Head of Enterprise Risk, who acts as chairperson of the Ares Management ERC. The Ares Management ERC, through regular consultation with the Ares Management internal cybersecurity team and employees of our investment adviser and administrator, assesses, discusses, and prioritizes Ares Management s approach to high-level risks, mitigative controls and ongoing cybersecurity efforts. The Audit Committee has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. Certain members of the Ares Management ERC periodically report to our Audit Committee as well as our full Board, as appropriate, on cybersecurity matters, primarily through presentations by the CISO and the Ares Management Head of Enterprise Risk. Such reporting includes updates on Ares Management s cybersecurity program as it impacts us, the external threat environment, and Ares Management s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Ares Management s preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents.

Company Information