OHA Senior Private Lending Fund (U) LLC 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

OHA Senior Private Lending Fund (U) LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 16:45:58 EDT.

Filings

10-K filed on 2024-03-13

OHA Senior Private Lending Fund (U) LLC filed an 10-K at 2024-03-13 16:45:58 EDT
Accession Number: 0001955010-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company has processes in place to assess, identify, and manage material risks from cybersecurity threats. The Company s business is dependent on the communications and information systems of the Adviser and other third-party service providers. The Adviser manages the Company s day-to-day operations and has implemented a cybersecurity program that applies to the Company and its operations. The Adviser has a holistic firm-wide approach to risk management including cyber risk. OHA s risk management activities are designed to identify, assess, report, and manage risks that could affect the firm and the Company in achieving their objectives and goals. This risk management framework operates across the Adviser s business lines and includes business operational resiliency and technology related risks, such as cybersecurity. The Company relies on the Adviser to identify risks inherent to cybersecurity, estimate the significance of such risks, assess the likelihood of their occurrence, and implement appropriate measures to mitigate and monitor those risks. As part of this risk identification and assessment framework, key cybersecurity risks applicable to the Company are identified and assessed for adequacy of controls. The Adviser s management identifies risk inherent to cybersecurity, estimates the significance of the risks, assesses the likelihood of their occurrence, and implements appropriate measures to mitigate and monitor those risks. The information security team at OHA has a diverse and well-rounded skillset, and various tools are deployed to monitor and manage OHA s security continuously across a variety of threat scenarios and attack vectors. The team is integrated within the technology organization and liaises with business units, compliance, legal, and technology functions to maintain a security-conscious culture across the business. OHA s Chief Information Security Officer is a standing member of OHA s technology leadership and Risk Committee and provides regular reporting on risks and mitigation programs. OHA has a documented Information Security Incident Response Plan, outlining responsibilities and requirements for remediation and escalation of incidents to internal and external parties. OHA s process is designed to investigate incidents efficiently, isolate the problem, remediate the disruption, communicate with the affected parties as appropriate, identify the root cause, and recommend improvements to mitigate risk. The Company relies on the Adviser to implement internal controls to manage cybersecurity risk. The Adviser is responsible for deploying preventive and detective security controls, maintaining information security policies, standards, and guidelines, and working with key technology and corporate stakeholders to enforce and monitor ongoing adherence to 57 Table of Contents security controls. The Chief Information Security Officer periodically reviews the Adviser s cybersecurity program, strategy, and operational results with OHA s Risk Committee which is comprised of senior members of OHA management, as well as with the Board of Managers of the Company ( Board ) annually. This is designed to properly manage cybersecurity risks and to ensure that our enterprise-wide cybersecurity program is aligned with the business needs. The Adviser s cybersecurity program includes regular assessments on the effectiveness of risk management processes and mitigation strategies applicable to the Company. Assessments include internal reviews carried out by Adviser s experienced professionals and consultants. In addition, the Company relies on the Adviser to periodically engage with third-party partners to evaluate cybersecurity measures and risk management processes applicable to the Company, including to perform external network penetration testing on networks on which the Company relies. This complements the Adviser s internal assessments such as application security testing and vulnerability scanning. OHA participates in various industry threat intelligence information sharing forums to stay current on new and evolving cyber risks. The Company depends on and engages various third parties, including suppliers, vendors, and service providers, to operate its business. The Company relies on the expertise of the business, compliance, legal, and/or technology functions of the Adviser when identifying and overseeing risks from cybersecurity threats associated with our use of such entities. For example, within the Adviser s procurement process, vendor assessments, including information security reviews, are performed at onboarding as appropriate. Ongoing monitoring is also performed as appropriate. Company Board Oversight of Cybersecurity Risks The Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from the Company s Chief Compliance Officer and the Adviser s Chief Information Security Officer regarding the overall st ate of the Adviser s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. Company Management’s Role in Cybersecurity Risk Management The Company s management, including the Company s CCO, and the Chief Information Security Officer of the Adviser, manage the Company s cybersecurity program. The CCO of the Company oversees the Company s risk management function generally and relies on the Adviser s CISO to assist with assessing and managing material risks from cybersecurity threats. The CISO has 15 years of experience in actively managing cybersecurity and information security programs for financial services companies with complex information systems. The CCO has been responsible for this oversight function as CCO to the Company since 2022 and has worked in the financial services industry for 18 years, during which the CCO has gained expertise in assessing and managing risk applicable to the Company. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company s business strategy, operational results, and financial condition are regularly evaluated. During the reporting period, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.

Company Information