Lafayette Square USA, Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Lafayette Square USA, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:32:10 EDT.

Filings

10-K filed on 2024-03-20

Lafayette Square USA, Inc. filed an 10-K at 2024-03-20 16:32:10 EDT
Accession Number: 0001849089-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Lafayette Square maintains a cybersecurity program which includes processes for assessing , identifying, and managing material risks from cybersecurity threats in the form of unauthorized occurrences that could result in adverse effects on the confidentiality, integrity, or availability of the Company s information systems (any such occurrence, a Cybersecurity Incident ). The Company s business is dependent on the communications and information systems of the Adviser and other third-party service providers. The Adviser manages the Company s day-to-day operations and has implemented a cybersecurity program that applies to the Company and its operations. Cybersecurity Program Overview The Adviser has instituted a cybersecurity program designed to identify, assess, and mitigate cyber risks applicable to the Company. The cyber risk management program involves risk assessments, implementation of security measures, and ongoing monitoring of systems and networks, including networks on which the Company relies. The Adviser actively monitors the current threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats, including material risks faced by the Company. The Adviser maintains a comprehensive information security policy to manage risk which details procedures such as incident response, business continuity and disaster recovery management plans, penetration testing and quarterly cybersecurity training for all employees. The Adviser (through the Staffing Agreement with the Administrator) employs a Chief Technology Officer (“CTO”), Bobby Patnaik. Mr. Patnaik has more than twenty years of experience, including fourteen years in financial services. Prior to joining Lafayette, Mr. Patnaik worked at Goldman Sachs Asset Management rising to the Global Head of Institutional/Fund Reporting and Reference Data Technology after spending several years developing and leading middle and back-office technologies. Mr. Patnaik began his career working for several technology and telecommunication companies, including AT&T and Verizon. The Company relies on the Adviser to engage external experts, including cybersecurity assessors, consultants, and auditors to evaluate cybersecurity measures and risk management processes, including those applicable to the Company. The Adviser has contracted with Salt Cybersecurity, LLC to serve as a virtual Chief Information Security Officer (“vCISO”) and perform an annual information security program risk assessment and gap analysis based on the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standard (ISO/IEC 27001:2013). In addition, our vCISO conducts due diligence on each vendor we utilize to assess their levels of security when working with Lafayette Square data. The Adviser has also engaged a third-party cybersecurity firm, AG1, Inc. (dba AgileBlue), to act as Lafayette Square s outsourced security operation center ( SOC ) and provide continuous monitoring of Lafayette Square issued devices for potential vulnerabilities with any threats escalated to the CTO. Management’s Role in Cybersecurity Risk Management The Company s management, including the Company s CCO, is responsible for assessing and managing material risks from cybersecurity threats. Lafayette Square s information security policy includes an incident response plan which specifies procedures for elevating, remediating, monitoring and communicating about Cybersecurity Incidents. A dedicated team of executive level leaders at the Adviser (the Incident Response Team ) including the Chief Risk Officer, Chief People Officer, Chief Compliance Officer and led by the Chief Technology Officer ensure Cybersecurity Incident containment, eradication, recovery and notification that is integrated in Lafayette Square s overall risk management. If a Cybersecurity Incident is detected, whether by way of penetration testing, a vulnerability scan conducted by the SOC, or otherwise, it will be reported to the Chief Technology Officer and Chief Compliance Officer who mobilize the Incident Response Team. The Incident Response Team will prepare the communications including alerting the Board of any material risks and any additional required reporting. The Chief Technology Officer is designated as the leader of the Incident Response Team and is designated to interface with key stakeholders including the Board. Board Oversight of Cybersecurity Risks The Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from the Company s Chief Compliance Officer regarding the overall state of the Adviser s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company s business strategy, operational results, and financial condition are regularly evaluated. See Item 1.A Risk Factors We depend on information systems, and systems failures could significantly disrupt our business, which may, in turn, negatively affect the value of our Common Stock and our ability to pay distributions. for 96 Table of Contents more details on how cybersecurity threats are reasonably likely to materially affect the Company including its business strategy, results of operations, or financial condition. During the reporting period, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.

Company Information