VISTA CREDIT STRATEGIC LENDING CORP. 10-K Cybersecurity GRC - 2024-03-08

Page last updated on July 16, 2024

VISTA CREDIT STRATEGIC LENDING CORP. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 14:35:07 EST.


10-K filed on 2024-03-08

VISTA CREDIT STRATEGIC LENDING CORP. filed a 10-K at 2024-03-08 14:35:07 EST
Accession Number: 0001628280-24-009900

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Strategy and Risk Management At Vista Credit Strategic Lending Corp., we recognize the importance of assessing, identifying and managing risks associated with cybersecurity threats. These risks include operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy or security laws, and other litigation and legal, financial and reputational risks. We rely on the cybersecurity strategy and policies implemented by Vista, the parent of our Adviser. Vista maintains, and we rely on, a comprehensive cybersecurity program that is aligned to the National Institute of Standards and Technology’s Cybersecurity Framework as part of its enterprise risk management program, including physical and digital technologies and administrative, operational, and technical controls, to aid in efforts to identify, assess and manage cybersecurity risks. The program is designed to provide for the availability of critical data and systems, maintain regulatory compliance, manage material risks from cybersecurity threats and to protect against, detect and respond to cybersecurity incidents. Among other things, the program includes a risk management framework; controls designed to monitor our digital infrastructure and detect and alert to suspicious, anomalous, and/or malicious behavior and indicators of potential cybersecurity threats; regular scanning of our networks and systems to triage and manage any potentially exploitable vulnerabilities; regular tabletop exercises to test our incident response and business continuity and disaster recovery preparedness; and annual Information Security Awareness training for employees. Vista has an Incident Response Plan which guides the actions to be taken in the event of a suspected or confirmed cybersecurity incident. The plan includes processes to triage, investigate, contain, and remediate the incident, and is designed to enable compliance with applicable legal and regulatory obligations and mitigation of financial and reputational damage. The Incident Response Plan includes notification to the applicable members of cybersecurity leadership, including Vista’s Chief Information Officer (“Vista CIO”), and, as appropriate, escalation to an internal ad-hoc group of senior employees, tasked with helping to manage the cybersecurity incident. Depending on the nature of the incident, the incident may also be reported to Vista’s Executive Committee, as well as to our Audit Committee and to our full Board, if appropriate. Vista also maintains a Business Continuity Plan, which provides procedures for maintaining the continuity of critical business processes in the event of business interruption, including any that involve cybersecurity incidents which may materially impact operations. Vista engages with independent assessors and other third parties to validate security controls, standards, and policies, conduct annual penetration tests of networks and systems to identify threats and vulnerabilities, and assist with forensic analysis of material cybersecurity incidents. In addition, to identify and assess material risks from cybersecurity threats, Vista’s enterprise risk professionals collaborate with subject matter specialists, the Vista CIO, and Vista’s Chief Compliance Officer (“Vista CCO”), Vista’s Chief Operating Officer and Vista’s Chief Legal Officer, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity and potential mitigations. These processes are also designed to address cybersecurity threats associated with the use of third-party providers. When selecting third-party service providers, associated cybersecurity threats are assessed, and, in addition, ongoing cybersecurity risk assessments of third-party service providers are conducted. These third-party service providers are also required to provide notifications of material breaches that may impact Vista’s data. Vista incorporates the cybersecurity risk coordination and assessment of third-party service providers into the overall cybersecurity program and enterprise-wide risk management. We are not aware of any material cybersecurity incidents that have impacted us. However, Vista is aware that similar institutions, as well as its employees, service providers and other third parties, have experienced a significant increase in information security and cybersecurity threats in recent years and will likely continue to be the targets of increasingly sophisticated cyber-attacks. We described whether and how risks from identified cybersecurity threats are reasonably likely to materially affect us, including our business strategy and results of operations, under the heading “We are dependent on information systems and systems failures could significantly disrupt our business, which may, in turn, negatively affect our liquidity, financial condition or results of operations”, included in Item 1A of this Form 10-K, which is incorporated by reference herein. Cybersecurity Governance Cybersecurity is an important part of Vista’s enterprise risk management processes and an area of focus for the Board of Directors and management for both Vista and us. These cybersecurity risk management and strategy processes are overseen by the Data Privacy and Information Risk Committee (the “DPIRC”). The DPIRC is co-chaired by the Vista CCO and Vista CIO, with members including senior representatives from Vista’s Information Security, Legal, and Human Resources departments. The Vista CIO has extensive experience in cybersecurity and technology. The Vista CIO was appointed in 2017 and has over 20 years of cybersecurity, information security, and technology services and innovation experience. The DPIRC is responsible for implementing, reviewing and revising cybersecurity policies and directives, as well as overseeing the protection, detection and response capabilities of cybersecurity resources. In addition, the DPIRC promotes, endorses and validates Vista’s cybersecurity risk posture, reviews industry best-practices, provides strategic direction for cybersecurity matters and oversees cybersecurity training programs. The DPIRC is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, Vista’s cybersecurity risk program and the operation of the Incident Response Plan and Business Continuity Plan and works in coordination with Vista’s internal information technology departments to, among other things, implement, review and revise the policies underlying its cybersecurity program. Additionally, Vista’s Enterprise Risk Committee receives quarterly information security updates from the Vista CIO. The Board is responsible for the oversight of risks, including from cybersecurity threats. At least annually, the Vista CIO provides the Board with an overview of Vista’s cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, and the Incident Response Plan, as well as the steps taken to respond to such risks. Material cybersecurity threat risks are also considered during Board meeting discussions of matters such as enterprise risk management, operational budgeting, business continuity planning, brand management and other relevant matters.

Company Information

SIC Description
Emerging growth company
Fiscal Year EndDecember 30