Stepstone Private Credit Fund LLC 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

Stepstone Private Credit Fund LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:45:57 EDT.

Filings

10-K filed on 2024-03-25

Stepstone Private Credit Fund LLC filed an 10-K at 2024-03-25 16:45:57 EDT
Accession Number: 0001193125-24-076567

Item 1C. Cybersecurity.

The Company, the Advisor and StepStone Group are affiliates of StepStone Group Inc., a Delaware corporation listed on the Nasdaq Stock Market LLC and whose securities are registered with the SEC pursuant to Section 12(b) of the Exchange Act. In general, the Company relies upon the information systems and other enterprise services provided by StepStone Group Inc. and its subsidiaries, including StepStone Group and the Advisor (together, “STEP”).

STEP maintains a cybersecurity program that is reasonably designed to protect the Company’s information, and that of the Company’s portfolio companies and investors, against cybersecurity threats that may result in significant adverse effects on the confidentiality, integrity, and availability of the information systems of STEP and its affiliates.

Governance.

Board of Directors

The Board of Directors of StepStone Group Inc. (“STEP Board”) oversees STEP’s processes for assessing and managing risk. The STEP Board’s Audit Committee is responsible for reviewing and discussing STEP’s practices with respect to risk assessment and risk management, and risks related to matters, including information technology and cybersecurity. The STEP Board and Audit Committee regularly review the measures implemented by STEP to identify and mitigate risks from cybersecurity threats. As part of such reviews, the STEP Board and Audit Committee receive reports and presentations from those responsible for overseeing STEP’s cybersecurity risk management, including the Managing Director, Head of Information Technology (“Head of IT”) and STEP’s Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to STEP’s peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the STEP Board and its Audit Committee, including to describe STEP’s information security infrastructure and improvements made, and to report on any significant developments in respect to STEP. From time to time, external legal advisers provide education to the STEP Board and/or Audit Committee in respect of information security related developments and to provide training in respect of directors’ responsibilities.

At the Company level, the Company’s Board oversees and monitors enterprise risk management at the Company, including with respect to cybersecurity and information security risk. The Company’s Board and disclosure review team are expected to receive periodic reports and updates from the Head of IT, as applicable in the context of risks from cybersecurity threats that may impact the Company. STEP has a framework under which certain cybersecurity incidents are escalated within the Company and STEP and, where appropriate, reported to the Company Board, STEP Board or Audit Committee in a timely manner.

Management STEP has a cybersecurity working group composed of members of the Information Technology (including Information Security), Legal and Compliance departments, including the Head of IT, the Chief Legal Officer of STEP, the Chief Compliance Officer of STEP, and a number of their respective team members. The working group meets regularly to identify and mitigate data protection and cybersecurity risks, implement information security governance mechanisms, discuss developments in information security, and discuss and action any significant cyber incidents relevant to STEP, and its affiliates, including the Company. The working group is expected to escalate matters of significance to STEP’s Incident Response Team, ERMC (defined below) and/or the STEP Disclosure Committee, as well as to the Company’s disclosure review team, as appropriate.

STEP has adopted an Incident Response Plan (“IRP”) that applies in the event of a cybersecurity threat or incident, including those that impact the Company, to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate, including stakeholders at the Company, as relevant. In general, STEP’s incident response process leverages the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all STEP personnel and STEP networks and systems, third-party systems and end-user devices, including those of the Advisor and those relied upon by the Company.

In addition, STEP has an Enterprise Risk Management Committee (“ERMC”) composed of a number of members of senior management from operations across STEP’s businesses, legal, compliance, information technology, finance, human resources and internal audit and risk. The ERMC was established to oversee and ensure the efficient and effective management of STEP’s enterprise risks. Cybersecurity and significant information security matters are to be brought before the ERMC or certain of its members, and matters of primary significance are to be further escalated and reported to the StepStone Global Executive Committee and the Audit Committee of the STEP Board and the Company’s Board, as appropriate.

At the management level, the STEP Head of IT, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at STEP and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices and reports directly to the President and Co-Chief Operating Officer of STEP. The Head of IT receives reports on cybersecurity threats from his team and external service providers on an ongoing basis and, in conjunction with management, reviews risk management measures implemented by STEP to identify and mitigate data protection and cybersecurity risks, including those applicable to the Company and the Advisor. The Head of IT works closely with the STEP Legal and Compliance departments to oversee compliance with legal, regulatory and contractual security requirements and in developing reports and presentations to the STEP Board and its Audit Committee, as well as to the Company’s Board. The Head of IT is responsible for providing regular training to STEP employees, including employees of the Advisor, in respect of information security.

Risk Management and Strategy.

STEP takes a multifaceted approach to managing risk from cybersecurity threats. STEP’s cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. STEP’s information security program, and supporting policies apply to all employees, contractors and vendors servicing the firm, including employees of the Advisor. The program outlines the development, maintenance, and distribution of information security policies and procedures that detail the implementation and maintenance of the information security program and its safeguards, and cover various areas such as information handling, user access management, encryption, data retention and backups, computer and network security and monitoring, physical security, incident reporting and response, service provider oversight, and employee and contractor use of technology. STEP also undergoes annual SOC 1 Type 2 testing of its financial processes and supporting technical controls.

In addition to the foregoing, STEP conducts regular employee trainings on cybersecurity, which trainings apply to the Company’s officers and employees of the Advisor, and performs phishing exercises to test employees’ understanding of how to identify social engineering attacks. STEP performs diligence, including in respect of information security, of vendors and third parties with significant access to confidential information and personal data, and periodically monitors such vendors, including such vendors relied upon by the Company and the Advisor. STEP also employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems STEP and its affiliates use. STEP conducts annual penetration testing performed by a rotating group of third-party security firms to test STEP’s technical controls and security response. STEP’s internal audit team has also conducted a cybersecurity assessment to evaluate STEP’s preparedness against potential cyber risks and threats. In addition to its internal cybersecurity capabilities and third-party penetration testing, STEP also, at times, engages consultants or other third parties to assist with assessing, identifying, and managing cybersecurity risks.

Material Cybersecurity Risks, Threats & Incidents

Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. To date, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations, or financial condition, but the Company faces certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an effect. Additional information on cybersecurity risks the Company faces can be found in Part I, Item 1A “Risk Factors” of this Report under the heading “Cybersecurity risks and cyber incidents could adversely affect our business by causing a disruption to our operations, which could adversely affect our financial condition and results of operations.”, which should be read in conjunction with the foregoing information.

Company Information