Bain Capital Specialty Finance, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Bain Capital Specialty Finance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 17:04:09 EST.

Filings

10-K filed on 2024-02-27

Bain Capital Specialty Finance, Inc. filed an 10-K at 2024-02-27 17:04:09 EST
Accession Number: 0000950170-24-021337

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity Risk Management and Strategy The Company has processes in place to assess, identify, and manage material risks from cybersecurity threats. The Company relies on the cybersecurity strategy and policies implemented by Bain Capital, the parent of the Advisor and Administrator, which apply to the Company and its operations. Bain Capital has adopted and implemented an Information and Cybersecurity Program ( Cybersecurity Program ) that prioritizes detection and analysis of and response to cybersecurity threats, management of security risks and resilience against cyber incidents, including those that may impact the Company. The Cybersecurity Program aligns with National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and is reviewed and adjusted as needed and is approved by the Bain Capital s Chief Information Security Officer ( CISO ). Bain Capital s Cybersecurity Program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help prevent and respond to cybersecurity threats and incidents, including threats or incidents that may impact the Company, the Advisor or the Administrator. Bain Capital s cybersecurity risk management processes, which are part of Bain Capital s overall risk management system, seek to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessments of cybersecurity risks, including those which may impact the Company, the Advisor, or the Administrator, are reported to the Bain Capital Credit Risk Oversight Committee ( ROC ) for awareness, review or action, as appropriate. In addition, the Company relies on Bain Capital to periodically engage with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity risk management processes and responding to incidents. Internal and external networks, including the networks on which the Company relies, are assessed for vulnerabilities. Bain Capital also engages with independent third parties to conduct relevant technical assessments. Bain Capital seeks to remain aware of the evolving global threat landscape through vendor relationships, partnerships with threat intelligence providers and membership of industry forums/groups, as well as research performed by members of the Information Security Team. Bain Capital is currently an active member of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Alternative Investment ISAC. Bain Capital provides information security awareness training to employees, and function-specific security training is also provided (where appropriate based on job function). Bain Capital also engages in phishing campaigns. The Company depends on and engages various third parties, including suppliers, vendors, and service providers, to operate its business. The Company relies on Bain Capital s Vendor Risk Management Program in conjunction with a Third Party Risk Management (TPRM) steering committee to assess risks posed when engaging with external vendors and/or third parties, including identifying and overseeing risks from cybersecurity threats associated with the Company s use of such entities. In the event of a cybersecurity incident impacting the Company, the Advisor has developed an incident response plan that provides guidelines for responding to such an incident and facilitates coordination across multiple operational and risk functions of Bain Capital, which may include coordinating with the relevant employees of the Advisor and management of the Company. The incident response plan includes notification to the applicable members of cybersecurity leadership, including Bain Capital s CISO, and, as appropriate, escalation to other relevant individuals. Management of the Company is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company, including through the receipt of notifications from service providers and reliance on communications with Bain Capital s CISO, as well as other risk management, legal, information technology, and/or compliance personnel of Bain Capital. Material Impact of Cybersecurity Risks During the reporting period, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or that are reasonably likely to materially affect the Company, 64 including our business strategy, operational results, and financial condition. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. Risk Factors General Risk Factors We are highly dependent on information systems, and systems failures or cyber-attacks could significantly disrupt our business, which may, in turn, negatively affect the value of our Common Shares and our ability to pay distributions. Governance The Company s Board of Directors ( Board ) provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from the Company s Chief Compliance Officer ( CCO ), which incorporates updates provided by Bain Capital s CISO regarding the overall state of the Cybersecurity Program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents potentially impacting the Company. Bain Capital s CISO and Information Security Team are responsible for the Cybersecurity Program applicable to the Company and, along with the Company s CCO, are responsible for assessing and managing material risks from cybersecurity threats that impact the Company. The CCO of the Company oversees the Company s oversight function generally and relies on Bain Capital s CISO to assist with assessing and managing material risks from cybersecurity threats. The Company s CCO has been responsible for this oversight function as CCO to the Company for 9 years and has more than 13 years experience in information security, during which time the CCO has gained expertise in assessing and managing risk applicable to the Company. Members of Bain Capital s management also possess relevant expertise in various disciplines that are key to effectively managing such risks, such as extensive experience in managing compliance risks in the financial sector, including those related to cybersecurity. Bain Capital s CISO has deep expertise in cybersecurity, holding the CISSP certification and having completed an Executive Master s in Cyber Security from Brown University and having received a Chief Risk Officer Certificate from Carnegie Mellon. Members of Bain Capital s Information Security Team hold various industry certifications and regularly attend trainings and industry conferences

Company Information