26North BDC, Inc. 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

26North BDC, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 13:09:28 EST.

Filings

10-K filed on 2024-03-08

26North BDC, Inc. filed an 10-K at 2024-03-08 13:09:28 EST
Accession Number: 0001193125-24-063364

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company is externally managed by the Adviser and has no employees or internal information systems. Therefore, we rely on the cybersecurity strategy, expertise and policies provided and implemented by 26North, the indirect parent company of our Adviser and affiliate of our Administrator, as well as other service providers. Each of the Company, 26North and our industry generally is highly dependent on information systems and technology and as a result, could be prone to cybersecurity threats and attacks. In response, 26North maintains a cybersecurity program that includes policies and controls designed to mitigate cybersecurity risk. However, at any given time, we face known and unknown cybersecurity risks and threats that are not fully mitigated. As part of its overall risk management efforts, 26North has developed and implemented a cybersecurity risk management program (the RMP ) that applies to our business and operations. The RMP is designed to protect the confidentiality, integrity and availability of the critical systems involved in our business and the information stored in those systems. The RMP leverages a combination of standards and best practices from the National Institute of Standards and Technology Cybersecurity Framework, the International Organization for Standardization, and the Center for Internet Security, among others. 26North utilizes technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, including from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. In addition, 26North has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats. Such controls help us and 26North protect our information, our information systems, and the information of our investors, and other third parties who entrust us with their sensitive information. 26North conducts annual cybersecurity awareness training for all employees and conducts quarterly phishing exercises to assess employee cybersecurity awareness. 26North also performs tabletop exercises and disaster 85 Table of Contents recovery tests to simulate a response to a cybersecurity incident, and uses the findings therefrom to improve practices, procedures, and technologies. 26North also assesses the risks from cybersecurity threats that impact our third-party service providers and has established oversight processes to identify and manage cybersecurity risks associated with the products or services we or 26North procure from such suppliers. An independent third-party also assesses and reports on 26North s internal incident response preparedness, adherence to best practices and industry frameworks, and compliance with applicable laws and regulations. The external independent third-party helps identify areas for continued focus and improvement. Finally, 26North carries cyber security insurance that provides a level of financial protection against the potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may result from a cybersecurity incident. 26North has also developed an incident response plan that provides guidelines for preparing for, responding to and recovering from cybersecurity incidents, and facilitates coordination across multiple operational functions. The incident response plan includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response plan includes notification to the applicable members of 26North s technology leadership team, including 26North s Chief Financial Officer ( CFO ) and Chief Technology Officer ( CTO ), and, as appropriate, escalation to an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on their nature, incidents may also be reported to the Risk Committee (as defined below) or the board of directors of 26North, as well as to our Chief Compliance Officer, the Audit Committee of our Board of Directors and to our full Board of Directors, if appropriate. Since our commencement of operations, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. Past or future incidents could have a material impact on our business strategy, results of operations, or financial condition. For additional information about these risks, see Item 1A. Risk Factors in this Annual Report. Our Board of Directors has overall responsibility for risk oversight and has primary responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management, including cybersecurity. The leadership team at 26North has delegated oversight of cybersecurity and related risks to a committee (the Risk Committee ). The Risk Committee is a cross-functional committee that governs and oversees the RMP. The Risk Committee includes members of 26North s senior executive team, including its CFO, CTO, Chief Compliance Officer and senior partners from 26North s legal, operations, finance, investment and strategy teams. The Risk Committee, will, through regular consultation with 26North s internal cybersecurity team assess, discuss, and prioritize the approach to high-level risks, mitigative controls, and ongoing cybersecurity efforts. Further, our Chief Compliance Officer works closely with 26North s CTO to monitor ongoing cybersecurity threats and provide regular updates to our Board of Directors. 26North s CTO regularly updates the full Risk Committee and oversees a team of dedicated professionals responsible for enterprise-wide cybersecurity strategy, policies, standards, engineering, architecture and processes. The CTO has a Bachelor of Science in Computer Engineering from the University of Virginia and 25 years of experience leading technology teams, maintaining IT infrastructure within financial services firms, and managing risks from cybersecurity threats as well as developing and implementing cybersecurity policies and procedures to mitigate these threats.

Company Information