RAND CAPITAL CORP 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

RAND CAPITAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 07:31:16 EST.

Filings

10-K filed on 2024-03-05

RAND CAPITAL CORP filed an 10-K at 2024-03-05 07:31:16 EST
Accession Number: 0000950170-24-025396

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessment, Identification and Management of Material Risks from Cybersecurity We recognize the importance of maintaining cybersecurity measures to safeguard our information systems and to protect the confidentiality and availability of information located on our information systems. Given this importance, we have integrated the consideration of operational risks related to cybersecurity into our enterprise risk management program, which is reviewed and updated annually and the results of this review are presented to the Board. Given the size and scope of our operations, RCM and our officers use a third-party IT service provider to assist the Corporation in assessing, identifying and managing the material risks from cybersecurity threats to the Corporation and in administering our IT systems. We believe that our third-party IT service provider has sufficient knowledge, experience and capabilities to effectively assist the Corporation on cybersecurity matters. The Corporation s cybersecurity risk management systems processes, which are formalized in the Corporation s cybersecurity risk management policy, include security controls, monitoring systems, tools and related services, and oversight from each of RCM, our officers and our third-party IT service provider in assessing, identifying and managing risks from cybersecurity threats. The Corporation, through our third-party IT service provider, has implemented and expects to continue to implement risk-based controls designed to prevent, detect and respond to information security threats. We rely on these controls to help us protect our information, our information systems, and the information of third parties who entrust us with their sensitive information. The Corporation s cybersecurity risk management policies include physical, administrative and technical safeguards, as well as plans and procedures designed to help the Corporation seek to prevent and effectively respond to cybersecurity threats and incidents, including threats or incidents that may impact us or RCM. In addition, our cybersecurity risk management programs include periodic identification and testing of our vulnerabilities and cybersecurity awareness training. Finally, our Chief Compliance Officer conducts an annual due diligence review, including as to cybersecurity matters, of those third-party service providers that have possession of the Corporation s material non-public information and reports the results of those assessments to the Board. In the event of a cybersecurity incident impacting us, the Corporation s cybersecurity risk management policy provides processes for responding to such an incident and facilitates coordination among the Corporation s officers and our third-party IT service provider. Depending on the nature of the incident, it may also be reported to the Board, if appropriate. Material Impact of Cybersecurity Risks In the last three fiscal years, we have not experienced a material information security breach incident, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For additional discussion of the risks posed by cybersecurity threats, see Item 1A. Risk Factors Risks related to our Business and Structure We are subject to cybersecurity risks and incidents that may adversely affect our operations, the operations of RCM or the companies in which we invest. A failure in our, or RCM s, cybersecurity systems could impair our ability to conduct business and damage our business relationships, compromise or corrupt our confidential information and ultimately negatively impact business, financial condition and operating results. Oversight of Cybersecurity Risks Our cybersecurity program is managed by the officers of Rand and RCM, and is primarily administered by our experienced third-party IT service provider. The officers of Rand and our third-party IT service provider are in regular communications as a means to discuss and determine actions to be taken by the Corporation with respect to our ongoing cybersecurity risk mitigation efforts. The Board, as a whole, rather than any committee of the Board, has responsibility for oversight and review of cybersecurity matters with respect to the Corporation, including the risks from cybersecurity threats to the Corporation. Our Chief Compliance Officer reports to the Board on a semi-annual basis, or more frequently if necessary, on cybersecurity matters and developments applicable to the Corporation. In addition, the Board also receives periodic reports from the Corporation s third-party IT service provider. These reports, whether from the Chief Compliance Officer or the Corporation s third-party IT service provider, include updates on the Corporation s cybersecurity programs, the external threat environment, and the Corporation s programs and processes 27 Table of Contents to address and mitigate the risks associated with the evolving cybersecurity threat environment. In addition, these reports also include updates on the Corporation s overall IT systems and capabilities and the Corporation s business continuity plan that may need to be activated if a material cybersecurity incident involving the Corporation were to occur. In the event of a material cybersecurity incident, our Chief Compliance Officer would make a report to the Board regarding the event, and the Board would engage in oversight responsibility with respect to the Corporation s response to such event.

Company Information