SL Investment Corp. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

SL Investment Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:45:52 EST.

Filings

10-K filed on 2024-03-07

SL Investment Corp. filed an 10-K at 2024-03-07 16:45:52 EST
Accession Number: 0001825590-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy The Company and the broader financial services industry face an increasingly complex and evolving threat environment. Morgan Stanley has made and continues to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead its Cybersecurity and Information Security organizations and program under the oversight of Morgan Stanley s Board of Directors (the MS Board ) and the Operations and Technology Committee of the MS Board ( BOTC ). As part of its enterprise risk management ( ERM ) framework, Morgan Stanley has implemented and maintains a program to assess, identify, and manage risks arising from the cybersecurity threats confronting the Firm ( Cybersecurity Program ). Morgan Stanley s Cybersecurity Program helps protect the Firm s clients, customers, employees, property, products, services, and reputation by seeking to preserve the confidentiality, integrity, and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of our technology systems, including as applicable to the Company and its stockholders. Morgan Stanley continually adjusts its Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations. The Adviser and the Administrator manage the Company s day-to-day operations, and the Company uses the Cybersecurity Program to assess, identify and manage material cybersecurity risks affecting the Company and its operations. The Company s business is dependent on the communications and information systems of Morgan Stanley, including but not limited to the Cybersecurity Program, and other third-party service providers. Processes for assessing, identifying, and managing material risks from cybersecurity threats 61 Table of Contents Morgan Stanley s Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to the Firm s network, infrastructure, computing environment, and the third-parties Morgan Stanley relies on, including third parties relied on by the Company. Morgan Stanley periodically assesses the design of its cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology Cybersecurity ( NIST ) Framework for Improving Critical Infrastructure Cybersecurity, as well as against global cybersecurity regulations, and develops improvements to those controls in response to those assessments. Morgan Stanley s Cybersecurity Program also includes cybersecurity and information security policies, procedures, and technologies that are designed to address regulatory requirements and protect Morgan Stanley s clients , employees and own data, and the data of the Company and its officers and stockholders, against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. Morgan Stanley s threat intelligence function within the Cybersecurity Program actively engages in private and public information sharing communities and leverages both commercial and proprietary products to collect a wide variety of industry and governmental information regarding the latest cybersecurity threats, which informs Morgan Stanley s cybersecurity risk assessments and strategy, including as applicable to the Company. This information is also provided to an internal Morgan Stanley forensics team, which develops and implements technologies designed to help detect these cybersecurity threats across Morgan Stanley s environment, including systems and applications that may be relied upon by the Company. Where a potential threat is identified in Morgan Stanley s environment or which impacts the Company, Morgan Stanley s incident response team evaluates the potential impact to the Firm and, as relevant, the Company, and coordinates remediation where required. These groups, as well as Morgan Stanley s Operational Risk Department, review external cybersecurity incidents that may be relevant to the Firm and the Company, and the outcomes of these incidents further inform the design of the Cybersecurity Program. In addition, Morgan Stanley maintains a robust global training program on cybersecurity risks and requirements and conducts regular training exercises for its employees and consultants, including those personnel relied upon by the Company. Morgan Stanley s processes are designed to help oversee, identify, and mitigate cybersecurity risks associated with its use of third-party vendors, including those vendors relied upon by the Company. Morgan Stanley maintains a third-party risk management program that includes evaluation of, and response to, cybersecurity risks at its third-party vendors, including those vendors relied upon by the Company. Prior to engaging third-party vendors to provide services to the Firm or the Company, Morgan Stanley conducts assessments of the third-party vendors cybersecurity program to identify the impact of their services on the cybersecurity risks to the Firm or, as relevant, the Company. Once on-boarded, third-party vendors cybersecurity programs are subject to risk-based oversight, which may include security questionnaires, submission of independent security audit reports or a Firm audit of the third-party vendor s security program, and, with limited exceptions, third-party vendors are required to meet Morgan Stanley s cybersecurity standards. Where a third-party vendor cannot meet those standards, its services, and the residual risk to the Firm, are subject to review, challenge, and escalation through Morgan Stanley s risk management processes and ERM committees, which may ultimately result in requesting increased security measures or ceasing engagement with such third-party vendor. Morgan Stanley s Cybersecurity Program is regularly assessed by the Morgan Stanley Internal Audit Department ( IAD ) through various assurance activities, with the results reported to the Audit Committee of the MS Board ( BAC ) and the BOTC and, as applicable to the Board of Directors of the Company. Annually, certain elements of the Cybersecurity Program are subject to an audit by an independent consultant, as well as an assessment by a separate, independent third-party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the BOTC. The Cybersecurity Program is also examined regularly by the Firm s prudential and conduct regulators within the scope of their jurisdiction. Governance Morgan Stanley and Company Management s role in assessing and managing material risks from cybersecurity threats Morgan Stanley s Cybersecurity Program is operated and maintained by its management, including the Chief Information Officer ( CIO ) of Cyber, Data, Risk and Resilience and the Chief Information Security Officer ( CISO ). These senior officers are responsible for assessing and managing the Firm s cybersecurity risks, which includes cybersecurity risks faced by the Company. Morgan Stanley s Cybersecurity Program strategy, which is set by the CISO and overseen by the Morgan Stanley s Head of Operational Risk, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. Morgan Stanley s Cybersecurity Program also includes processes for escalating and considering the materiality of incidents that impact the Firm and the Company, including escalation to senior management of Morgan Stanley, the MS Board, and management of the Company. Those processes are periodically tested through tabletop exercises. The Chief Compliance Officer ( CCO ) of the Company is responsible for overseeing the Company s risk management function and generally and relies on the CIO, CISO, and Head of Operational Risk to assist with assessing and managing material risks from cybersecurity threats that are applicable to the Company. The CIO has over 30 years of experience in various engineering, information 62 Table of Contents technology ( IT"), operations, and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management, and information security. The Head of Operational Risk has over 20 years of experience in technology, security, and compliance roles, including experience in government security agencies. The Company’s CCO has worked in the financial services industry for 19 years and has covered business developments from a compliance perspective for over 10 years, during which time the Company s CCO has gained expertise in assessing and managing risk applicable to the Company. Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees at Morgan Stanley. These committees include representatives from Firm management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to the Firm s policies and procedures. Significant cybersecurity risks are escalated from these committees to Morgan Stanley s Non-Financial Risk Committee. The CIO and the Head of Operational Risk report on the status of Morgan Stanley s Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to the Firm Risk Committee, the BOTC and the MS Board. To the extent any cybersecurity incidents relate to the Company, the status of such incidents and remedial actions will be reported to our Board. Board oversight of risks from cybersecurity threats Our Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. Our Board receives periodic updates from the CCO of the Company, the CIO, the CISO, and the Head of Operational Risk, regarding the overall state of Morgan Stanley s Cybersecurity Program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company s business strategy, operational results, and financial condition are regularly evaluated. During the fiscal year ended December 31, 2023, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.

Company Information