Onex Falcon Direct Lending BDC Fund 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Onex Falcon Direct Lending BDC Fund reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 13:04:58 EST.

Filings

10-K filed on 2024-03-06

Onex Falcon Direct Lending BDC Fund filed an 10-K at 2024-03-06 13:04:58 EST
Accession Number: 0000950170-24-026979

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy As an externally managed closed-end management investment company that has elected to be regulated as a BDC under the 1940 Act, our day-to-day operations are managed by the Adviser, Administrator and our executive officers under the oversight of our Board of Trustees. Our executive officers are senior professionals of the Adviser and Onex Corp. and each of the Adviser and Administrator is a subsidiary of Onex Corp. As such, we are reliant on Onex Corp. for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details Onex Corp. has provided to us regarding its cybersecurity program that are relevant to us. Onex Corp. has established a dedicated cybersecurity team which maintains a comprehensive firmwide cybersecurity program to protect its systems, operations and the information stored within. Onex Corp. s Audit, Nominating and Corporate Governance 74 Committee receives at minimum, quarterly cybersecurity updates from the Managing Director Enterprise Technology, who leads Onex Corp. s program and who works closely with senior management to develop and advance Onex s cybersecurity strategy. As part of Onex Corp. s ongoing cybersecurity operations, the cybersecurity team regularly conducts testing to identify vulnerabilities that could be exploited by attackers often using various automated tools as well as a managed service provider. The team examines and validates the cybersecurity program and cyber risk posture annually with third parties, measuring it against industry standards and established frameworks, such as the National Institute of Standards and Technology ( NIST ), Center for Internet Security and the International Organization for Standardization (ISO). Onex maintains a comprehensive Security Incident Response Policy, an Incident Response Plan, and Incident Response Playbooks to ensure that any non-routine events are properly investigated and escalated where necessary. On an annual basis, these plans, policies and processes are validated and practiced with senior executives and representatives from key areas of the firm through a cyber-incident tabletop simulation exercise. Onex Corp. engages with a Managed Security Services Provider (the MSSP ) who conducts vulnerability scanning and cyber threat intelligence on a weekly basis at minimum. Additionally, third-party cybersecurity consultants are engaged to perform penetration testing on a bi-annual basis. The findings are reviewed, prioritized and remediated in alignment with the recommendations from the external consultant. In addition to Onex Corp. s cybersecurity team s internal exercises to test aspects of its cybersecurity program, Onex Corp. periodically engages independent third parties to assess the risks associated with its information technology resources and information assets. Among other matters, these third parties analyze data on the interactions of users of enterprise information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of the cybersecurity systems and processes. Onex Corp. maintains a formal cybersecurity risk management process and cybersecurity risk register, designed to track cybersecurity risks at the firm, and integrates these processes into the firm s overall risk management practices described above. Onex Corp. s cybersecurity management team periodically discusses and reviews cybersecurity risks and related mitigants at its Cybersecurity Excellence Quarterly Forum. Onex Corp. employs a process designed to assess, typically prior to onboarding, the cybersecurity risks associated with the engagement of third-party vendors, including those of its externally managed companies such as us. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of data accessed or processed by a third-party vendor. On the basis of its preliminary risk assessment of a third-party vendor, Onex Corp. may conduct further cybersecurity reviews or request remediation of, or contractual protections related to, any actual or potential identified cybersecurity risks. In addition, where appropriate, Onex Corp. seeks to include in its contractual arrangements with certain of its third-party vendors provisions addressing best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit and test such vendors cybersecurity programs and practices. Onex Corp. also utilizes a number of digital controls, which are reviewed at least annually, to monitor and manage third-party access to its internal systems and data. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on Onex Corp. and its affiliates in managing these risks, see I tem 1A. Risk Factors Risks Related to Our Business and Structure We may face a breach of our cyber security, which could result in adverse consequences to our operations and exposure of confidential information for a discussion of risks from cybersecurity threats. in this Annual Report on Form 10-K. Cybersecurity Governance Onex Corp. has a dedicated cybersecurity team, led by the Managing Director Enterprise Technology Services, who works closely with senior management, including Onex Corp. s Chief Financial Officer, to develop and advance the firm s cybersecurity strategy, which applies to us. The Managing Director Enterprise Technology and Manager, Cybersecurity have extensive experience in technology and cybersecurity, respectively. The cybersecurity team of Onex Corp. is responsible for all aspects of cyber and physical security across Onex Corp. The cybersecurity team of Onex Corp. is headed by the Managing Director Enterprise Technology who has 18 years of IT experience across financial services, healthcare and manufacturing industries in Canada including as the VP Financial Crimes and Enterprise Risk Technology at CIBC that provided cybersecurity platforms and services to protect the bank. Reporting to the Managing Director Enterprise Technology, is the Manager, Cybersecurity who has over 15 years of experience in cybersecurity including Incident Readiness and Response, Strategy, GRC, Vulnerability and Threat Management, Business Continuity, Disaster Recovery. The Manager, Cybersecurity also has a BSc in Business Information Systems, and a Cybersecurity Bootcamp Certification from the University of Toronto. Reporting to the Manager, Cybersecurity is an IT Security Analyst who has over 5 years of experience in cybersecurity, including Digital Forensics, Identity and Access Management, Third-Party Risk Management. The IT Security 75 Analyst also has a BSc in Forensic Science, an MSc in Information Security and Digital Forensics, and is currently pursuing a PHD in Information Systems and Design. Onex Corp. conducts periodic cybersecurity risk assessments, including assessments or audits of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The cybersecurity team of Onex Corp. reviews the cybersecurity framework annually as well as on an event-driven basis as necessary. Onex Corp. s cybersecurity team and Onex Corp. s MSSP also review the scope of the cybersecurity measures periodically, including in the event of a change in business practices that may implicate the security or integrity of Onex Corp. s and its affiliates information and systems. Our Board is responsible for understanding the primary risks to our business. The Board is responsible for reviewing periodically our and the Adviser s information technology security controls and related compliance matters, with management. Onex Corp. s cybersecurity team reports to the Board at least annually on cybersecurity matters, including risks facing us and the Adviser and, as applicable, certain incidents. In addition to such periodic reports, the Board or a committee thereof may receive updates from management as to our and the Adviser s cybersecurity risks and Onex Corp. s cybersecurity program developments. Impact of Cybersecurity Risks In 2023, we did not experience a material cybersecurity incident. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, we describe whether and how future incidents could have a material impact on our business strategy, results of operations or financial condition in Risks Related to Our Business and Structure We may face a breach of our cyber security, which could result in adverse consequences to our operations and exposure of confidential information.

Company Information