Great Elm Capital Corp. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Great Elm Capital Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:25:30 EST.

Filings

10-K filed on 2024-02-29

Great Elm Capital Corp. filed an 10-K at 2024-02-29 07:25:30 EST
Accession Number: 0000950170-24-022642

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Processes and Risk Assessment We rely on the cybersecurity program implemented by GECM. In order to assess, identify and manage material risks from cybersecurity threats, GECM has implemented a cybersecurity program, which is focused on (i) protecting the confidentiality of business, client, fund investor and employee information; (ii) maintaining the security and availability of its systems and data; (iii) supporting compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and its responses; and (v) notification of cybersecurity incidents to, and communications with, appropriate internal and external parties. GECM has implemented an information security policy governing cybersecurity risk, which is designed to facilitate the protection of sensitive or confidential business, client, investor and employee information that it stores or processes and the maintenance of critical services and systems. These processes and systems are designed to protect against unauthorized access of information, including by cyber-attacks. GECM’s policies and processes include, as appropriate, encryption, data loss prevention technology, authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission of data over private networks. GECM s processes and systems aim to prevent or mitigate two main types of cybersecurity risk: (1) cybersecurity risks associated with its physical and digital devices and infrastructure, and (2) cybersecurity risks associated with third parties, such as people and organizations who have access to its devices, infrastructure or confidential or sensitive information. This program is based on recognized industry standards and is supported by both management and our Board. This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use recognized industry standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. As a part of its cybersecurity program, GECM’s cybersecurity processes and systems are reviewed and assessed by third parties. These third parties assess and report on GECM s compliance with applicable laws and regulations and its internal incident response preparedness, including benchmarking to best practices and industry frameworks. These third parties also help identify areas for continued focus and improvement. Annual penetration testing of its network, including critical systems and systems that store confidential or sensitive information, is conducted with third-party consultants and vulnerabilities are reviewed by GECM’s Chief Operating Officer, IT Specialist and other 43 members of Company management (together, “Great Elm IT Management”) and third third-party consultants. In order to oversee and identify risks from cybersecurity threats associated with its use of third parties who will have access to sensitive data or client systems and facilities, GECM requires third parties to adhere to GECM’s cybersecurity requirements prior to accessing such data. In addition, GECM performs annual reviews of its critical vendors with the assistance of a third-party consultant to identify and assess the vendors security posture to reduce risk to the Company. GECM also provides its employees with cybersecurity awareness training at onboarding and annually, as well as interim security reminders and alerts. GECM s third-party consultants conduct regular phishing tests and provide additional training as appropriate. Governance and Oversight of Cybersecurity Risks GECM s cybersecurity program is managed by Great Elm IT Management. The members of the IT Management team collectively have years of experience helping to oversee the information technology infrastructure and processes at GECM and other asset managers. Great Elm IT Management is responsible for supervising and interfacing with providers to implement GECM s monitoring and alert response processes, vulnerability management, changes made to its critical systems, including software and network changes, and various other technological and administrative safeguards. GECM has also developed an incident response framework to monitor the prevention, detection, mitigation and remediation of cybersecurity events. This framework is managed and implemented by Great Elm IT Management, with support from their third-party consultants. Great Elm IT Management alongside the General Counsel and Chief Compliance Officer of GECM are responsible for gathering information with respect to cybersecurity incidents, assessing its severity and determining potential responses, as well as communicating with business leaders and senior management, as appropriate. Our Board of Directors has delegated the primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management to the Audit Committee, which includes oversight of risks related to cybersecurity threats. The Audit Committee and the Board, as appropriate, are informed about risks related to cybersecurity threats through periodic reports from GECM’s Chief Operating Officer. Such reporting includes updates on GECM s cybersecurity program, the external threat environment, and GECM s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on GECM s preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents, where applicable. Impact of Cybersecurity Risks As of the filing of this Form 10-K, we are not aware of any cyber-attacks that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. We acknowledge that we cannot eliminate all security risks within our organization, and we cannot guarantee that any undetected cybersecurity incidents have occurred. For additional information about these risks, see “Item 1A. Risk Factors” in this Annual Report on Form 10-K.

Company Information