NexPoint Capital, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

NexPoint Capital, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 15:08:15 EDT.

Filings

10-K filed on 2024-03-28

NexPoint Capital, Inc. filed an 10-K at 2024-03-28 15:08:15 EDT
Accession Number: 0001193125-24-080440

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As an integral part of our commitment to safeguarding sensitive information and ensuring the integrity of our operations, the Company utilizes the expertise and diligence of the Adviser and the Company (together, the Organization ) in upholding robust cybersecurity measures. The Organization maintains a robust and evolving enterprise-wide cybersecurity risk management program (the Program ) that is designed to assess, identify, manage, mitigate and respond to cybersecurity threats and keep pace with technological innovations, while also meeting applicable legal and regulatory requirements. Through the implementation of the Program, we strive to protect critical information assets (e.g., data, systems, infrastructure) and safeguard the Company from new and emerging threats. The Program incorporates legal and regulatory requirements, aligns to industry best practices and requires the safeguarding and protection of information in relation to established information classifications. The Organization does not currently engage a third party to wholly review its information security infrastructure. However, as part of the Program, the Adviser has network-level penetration testing conducted annually by a third-party, along with application and physical penetration testing conducted regularly by both internal and external resources. We are aware of the risks associated with third-party service providers ( vendors ), and the Adviser implements stringent processes to oversee and manage these risks. The Adviser leverages a robust and mature vendor information risk management methodology for evaluating vendors. This review includes, among others, a review of independent assurance (e.g., SOC 2 Type 2 reports, ISO27001 audits), independent penetration tests and policy documentation, as applicable. Moreover, the Adviser consistently includes contractual terms enshrining cybersecurity and availability requirements into the Adviser s legal agreements with vendors. The Adviser also reassesses critical vendors on a regular basis. The Adviser and the Company face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, result of operations, cash flow or reputation. Such risks to date have not had any impact on or relation to the Adviser s business or the Company including our investment strategy, results of operations or financial condition. However, affiliated business lines have experienced threats to their data and systems periodically, including malware and computer virus attacks. The Organization has a robust information security program including but not limited to, an incident management process and monitors for suspicious network activity, phishing program for educational purposes internally, endpoint protection tools, encryption and more to protect against threats. However, future incidents could have a material impact on our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see our disclosure entitled We depend on information systems, and systems failures could significantly disrupt our business, which may, in turn, negatively affect our ability to pay dividends to our stockholders. under Item 1A. Risk Factors. Governance The Board is provided regular reports by the Adviser on its processes for identifying and mitigating cybersecurity risks for the Company The Board actively participates in discussions with management, including the Company s Chief Compliance Officer and the Organization s personnel responsible for cybersecurity, and among themselves regarding cybersecurity risks. The Organization s cybersecurity program includes policies designed to detect and respond to cyber attacks, monitoring third-party service providers cyber security policies, and descriptions of the infrastructure, processes and personnel that are devoted to identifying and addressing internal and external threats. The Organization has strategically integrated its cybersecurity program into its broader risk management framework to promote a company-wide culture of cybersecurity risk management and to protect information on a global basis. The Organization draws upon its team of information security and business resilience professionals that work closely with business and information technology colleagues to continuously evaluate and address cybersecurity risks. 49 Table of Contents

Company Information