Franklin BSP Capital Corp 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Franklin BSP Capital Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 17:10:39 EDT.

Filings

10-K filed on 2024-03-15

Franklin BSP Capital Corp filed an 10-K at 2024-03-15 17:10:39 EDT
Accession Number: 0001825248-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Management and Board Oversight Our Board of Directors oversees risk management for the Company, including through its approval of the investment policy and other policies of the Company and its oversight of the Adviser. For certain risks, our Board of Directors has delegated oversight responsibilities to committees of our Board of Directors. For example, the Nominating and Corporate Governance Committee assists our Board of Directors with assessing risks associated with conflicts of interest. Cybersecurity risk management is integrated into this broader risk management framework. Our Board of Directors has delegated to the Audit 57 Committee oversight of management s programs and policies to identify, assess, manage, mitigate and monitor significant business risks of the Company, including privacy, information technology and cybersecurity risks. Information Technology and Cybersecurity Risks We have no employees and rely on the Adviser, a wholly-owned subsidiary of Franklin Templeton, to manage our day-to-day operations pursuant to the Advisory Agreement. Therefore, we rely heavily on Franklin Templeton s information systems and its program for defending against and responding to cybersecurity threats and incidents. Franklin Templeton maintains a robust cybersecurity defense program, including a dedicated cybersecurity team led by its Chief Security Officer ( CISO ). The CISO, who reports directly to the Franklin Templeton Executive Vice President and Chief Risk and Transformation Officer, has 28 years of experience in the information technology and cybersecurity field and has been at Franklin Templeton for 12 years. In addition, the CISO provides regular briefings for our Board of Directors and senior officers of the Company on cybersecurity matters, including on threats, events, and program enhancements. The Chief Compliance Officer of the Company also provides periodic updates to our Board of Directors and senior officers of the Company on cybersecurity threats and material risks from cybersecurity threats with respect to the Company. In the event of an incident which jeopardizes the confidentiality, integrity, or availability of the information technology systems the Adviser uses to provide services to us pursuant to the Advisory Agreement, Franklin Templeton s cybersecurity team utilizes a regularly updated cybersecurity incident response plan that was developed based on, and is periodically benchmarked to, applicable third-party cybersecurity standards and frameworks. Pursuant to that plan and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting obligations associated with the incident and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the response team is led by the CISO or their delegee. In addition, senior officers of the Company have implemented a Company policy that supplements the Franklin Templeton incident response plan with respect to cybersecurity incidents that have or may impact the Company, including by impacting the Adviser s ability to provide services to the Company pursuant to the Advisory Agreement. Pursuant to this policy, the Adviser and Franklin Templeton are required to notify and update the Company s senior officers and our Audit Committee with respect to certain matters related to cybersecurity incidents specified under the policy. The Audit Committee oversees, on behalf of our Board of Directors, the Company s privacy, information technology and security and cybersecurity risk exposures, including (i) the potential impact of those exposures on the Company s business, financial results, operations and reputation, (ii) the programs and steps implemented by management to monitor and mitigate any exposures, (iii) the Company s information governance and information security policies and programs, and (iv) major legislative and regulatory developments that could materially impact the Company s privacy, data security and cybersecurity risk exposure. On a quarterly basis, the CISO or their delegee report to our Board of Directors or Audit Committee on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks. Processes for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats The Franklin Templeton cybersecurity program focuses on (1) preventing and preparing for cybersecurity incidents, (2) detecting and analyzing cybersecurity incidents, and (3) containing, eradicating, recovering from and reporting cybersecurity events. The Company has a policy that supplements the Franklin Templeton cybersecurity incident response plan and addresses reporting and disclosure considerations related to a cybersecurity incident. Prevention and Preparation Franklin Templeton undertakes regular internal and external security audits and vulnerability assessments to reduce the risk of a cybersecurity incident and they implement business continuity, contingency and recovery plans to mitigate the impact of an incident. As part of these efforts, Franklin Templeton periodically engages consultants to conduct external reviews of its vulnerabilities, including penetration testing and compromise assessments. Franklin Templeton employs best practice identity and access management including broad adoption of multifactor authentication, geo-location blocking, behavior analytics and controls aligned to a zero trust model. 58 Franklin Templeton and the Adviser recognize that threat actors frequently target employees to gain unauthorized access to information systems. Therefore, a key element of their prevention efforts is employee training on their data privacy and cybersecurity procedures. For example, all new hires of Franklin Templeton and the Adviser receive mandatory privacy and information security training. In addition, current employees of the Adviser must complete mandatory annual cybersecurity and data trainings, which are supplemented by regular phishing and other cyber-related testing and trainings that the Adviser conducts throughout the year. We recognize that third parties that provide information systems used by the Adviser to provide services to the Company can be subject to cybersecurity incidents that could impact the Company. To mitigate third party risk, Franklin Templeton maintains a vendor code of conduct, which is designed to require third party vendors to comply with our requirements for maintenance of passwords, as well as other confidentiality, security, and privacy procedures. All third party vendors must complete a cyber incident reporting questionnaire to ensure timely notification of any potential cybersecurity breaches. Third-party IT vendors are also subject to additional diligence requirements. As discussed above, to support its preparedness, Franklin Templeton has an incident response plan that it regularly updates. In addition, Franklin Templeton performs regularly scheduled tabletop exercises and periodic drills at least once a year to test its incident response procedures, identify improvement opportunities and exercise team preparedness. Franklin Templeton also maintains cybersecurity insurance providing coverage for certain costs related to security failures and specified cybersecurity-related incidents that interrupt its network or networks of its vendors, in all cases up to specified limits and subject to certain exclusions. Detection and Analysis Cybersecurity incidents may be detected through a variety of means, which may include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by the Franklin Templeton cyber defense team, notifications from employees, borrowers or service providers, and notifications from third party information technology system providers. Franklin Templeton also has a comprehensive threat intelligence program that performs proactive analyses leveraging internal, government and third party provided intelligence to identify and mitigate risks to the firm. Once a potential cybersecurity incident is identified, including a third party cybersecurity event, the incident response team designated pursuant to the Franklin Templeton incident response plan follows the procedures set forth in the plan to investigate the potential incident, including determining the nature of the event (e.g., ransomware or personal data breach) and assessing the severity of the event and sensitivity of any compromised data. Containment, Eradication, Recovery, and Reporting In the event of a cybersecurity incident, the Franklin Templeton incident response team is initially focused on containing the cybersecurity incident as quickly as possible consistent with the procedures in the incident response plan. Containment procedures may include off-lining systems, including by disconnecting network cable, utilizing network-management tools to isolate the host, altering the DNS entry of impact hosts, and coordinating with service providers. Once a cybersecurity incident is contained the focus shifts to remediation. Eradication and recovery activities depend on the nature of the cybersecurity incident and may include rebuilding systems and/or hosts, replacing compromised files with clean versions, validation of files or data that may have been affected, and increased network monitoring or logging to identify recurring attacks. Franklin Templeton has relationships with a number of third party service providers to assist with cybersecurity containment and remediation efforts, including a forensic investigation firm, a ransomware recovery vendor, a communications firm, and various law firms. Following the conclusion of an incident, the Franklin Templeton incident response team will generally reassess the effectiveness of the cybersecurity program and incident response plan, make adjustments as appropriate and report to our senior management and Audit Committee on these matters. 59 Cybersecurity Risks As of December 31, 2023, we are not aware of any material cybersecurity incidents that impacted the Company in the last three years. We and our Adviser routinely face risks of potential incidents, whether through cyber-attacks or cyber intrusions over the Internet, ransomware and other forms of malware, computer viruses, attachments to emails, phishing attempts, extortion or other scams however, we have been able to prevent or sufficiently mitigate harm from such risks. Although the Adviser and Franklin Templeton, on our behalf, make efforts to maintain the security and integrity of the information technology systems the Adviser uses on our behalf, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them are subject to the risk of a security incident or disruption, and there can be no assurances regarding our security efforts and measures or those of our third party providers. See Item 1A Risk Factors Our business could suffer in the event our Adviser or any other party that provides us with services essential to our operations experiences system failures or cyber-incidents or a deficiency in cybersecurity.

Company Information