Jefferies Credit Partners BDC Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Jefferies Credit Partners BDC Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 12:57:40 EDT.

Filings

10-K filed on 2024-03-29

Jefferies Credit Partners BDC Inc. filed an 10-K at 2024-03-29 12:57:40 EDT
Accession Number: 0000950170-24-038501

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy As an externally managed closed-end management investment company that has elected to be regulated as a BDC under the Investment Company Act, our day-to-day operations are managed by the Investment Adviser, Administrator and our executive officers under the oversight of our Board of Directors. Our executive officers are senior professionals of the Investment Adviser. We obtain our cybersecurity program-related services as part of a larger set of services provided to the parent company of our Investment Adviser by JFG under written agreement. As such, we rely on JFG s information systems infrastructure and JFG s processes for assessing, identifying and managing material risks to our business from cybersecurity threats. Below are details JFG has provided to us regarding its cybersecurity program. 36 JFG s Chief Information Security Officer ( CISO ) and his Global Information Security team ( GIS ) oversee JFG s cybersecurity program and exercise overall responsibility for the strategic vision and the design, development, and implementation of, and adherence to, the program s protocols. The comprehensive program includes policies and procedures designed to protect JFG systems, operations, and the data entrusted to it, including by us, from anticipated threats or hazards. The program applies seven layers of controls: governance, identification, protection, detection, response, recovery, and third-party vendor management. Protective measures include, where appropriate, physical and digital access controls, software security and patch management, identity verification, mobile device management, data loss prevention solutions, employee cybersecurity awareness communications and best practices training programs, security baselines and tools to detect and report anomalous activity, service provider risk assessments, network monitoring of data usage, hardware and software, and data erasure and media disposal, among others. Measures, policies and standards are aligned with industry-leading frameworks, such as those promulgated by the International Organization for Standardization and the National Institute of Standards and Technology ( NIST ). JFG tests its cybersecurity defenses regularly through automated vulnerability scanning by GIS s 24/7 Security Operations Group to identify and remediate critical vulnerabilities. In addition, an independent vendor conducts annual white hat penetration tests to validate its external security posture. For certain JFG businesses, JFG also conducts cyber incident tabletop exercises involving hypothetical cybersecurity incidents to test its cyber incident response processes. Tabletop exercises are conducted by JFG s IT Risk team in collaboration with outside service providers as appropriate and members of JFG s senior management and Legal and Compliance teams. Learnings from these tabletop exercises and any events that JFG experiences are reviewed, discussed, and incorporated into its cybersecurity risk management processes as appropriate. In addition to JFG s internal exercises to test aspects of its cybersecurity program, JFG annually engages an independent third party to assess the risks associated with its information systems and information assets and the JFG risk management program. The independent third party assesses the cybersecurity program against the Cyber Risk Institute Cyber Profile, a financial sector-focused framework based on the NIST Cybersecurity Framework, the results of which are reported to the JFG Board of Directors (the JFG Board ) and inform JFG s program. JFG has a comprehensive cybersecurity incident response and communication plan (the IRP ), managed by the Security Operations Group, which is designed to inform appropriate risk management and business managers (including, as appropriate, our executive officers and other representatives of the Investment Adviser or its affiliates) of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate such an event and determine the extent of external advisor support required, including from external counsel, forensic investigators, and law enforcement agencies. The IRP is reviewed at least annually. JFG maintains a cybersecurity risk management process to identify and mitigate risks that impact the firm. This process includes reviewing risks discerned from time to time from both internal events and from external events, alerts and reports received from a broad variety of sources. Reports from external sources are also reviewed to formulate risk mitigation and remediation strategies. JFG s CISO periodically discusses and reviews cybersecurity risks and related mitigants with JFG s Chief Information Officer ( CIO ), the Head of IT Risk, and General Counsel and incorporates relevant cybersecurity risk updates and metrics. JFG adjusts and enhances its cybersecurity program in response to the evolving cybersecurity landscape and to align with regulatory and industry standards. JFG employs a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors and service providers. This assessment is conducted on the basis of, among other factors, the types of products or services provided and the extent and type of data accessed or processed by the third party. Cybersecurity is assessed by IT Risk and approved by the CIO as a component of JFG s annual, enterprise-wide Risk Control Self Assessment ( RCSA ) managed by JFG s Operational Risk Group. The RCSA process is independently verified by JFG s Internal Audit Department. Although since inception, we have not experienced a material information security breach incident, future incidents could have a material impact on our business strategy, results of operations or financial condition. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on the JFG and its affiliates in managing these risks, see Part 1. Item 1A. Risk Factors - Risk Related to our Business - Cybersecurity risks and cyber incidents may adversely affect our business or the business of our Portfolio Companies by causing a disruption to our operations or the operations of our Portfolio Companies, a compromise or corruption of our confidential information or the confidential information of our Portfolio Companies and/or damage to our business relationships or the business relationships of our Portfolio Companies, all of which could negatively impact the business, financial condition and operating results of us or our Portfolio Companies in this annual report. Cybersecurity Governance JFG has a dedicated GIS team, led by its CISO, who reports to JFG s CIO. The CISO works closely with JFG s CIO, Chief Financial Officer, and the Chief Risk Officer s ( CRO ) team and Legal and Compliance Departments, to develop and advance the firm s cybersecurity strategy, which applies to us. JFG s CISO has extensive experience in cybersecurity and technology and is responsible for all aspects of cybersecurity across JFG s global businesses. He has over twenty years experience managing cybersecurity in the financial and consulting services industries. JFG conducts periodic cybersecurity risk assessments, including assessments of third-party vendors, and assists with the management and mitigation of identified cybersecurity risks. The CISO reviews the cybersecurity framework annually as well as on an event-driven basis as necessary, and reviews the scope of cybersecurity measures periodically, including to accommodate changes in business practices that may implicate security-related issues. JFG s cybersecurity program is periodically assessed by JFG s Internal Audit Department. The results of these audits are reported to the Audit Committee of the JFG Board. Any resulting findings and associated actions to address issues are tracked and managed to completion. In addition, JFG s IT Risk team provides Key Risk Indicators ( KRIs ) monthly to JFG s Operational Risk Committee whose members include the CIO, CRO, Head of Internal Audit and the CISO and their representatives. The monthly presentation includes updates on key security incidents and trending of cybersecurity KRIs. 37 The JFG Board is responsible for the general oversight of all matters that affect JFG, including the myriad risks impacting it. The JFG Board fulfills its oversight role through the operations of its various committees and receives periodic reports on its committees activities. The JFG Board s Risk and Liquidity Oversight Committee oversees JFG s enterprise risk management. Oversight includes reviewing and approving annually JFG s risk management framework and overarching risk appetite statements reviewing JFG s technology, cybersecurity and privacy risk, legal and regulatory risk, and reputational risk,among other JFG major risk exposures reviewing the steps management has taken to monitor and control such exposures and reviewing JFG s capital, liquidity and funding against established risk methodologies. The CISO keeps the JFG Board informed about JFG s security posture and cybersecurity maturity program on a regular basis, providing updates about cybersecurity events, significant incidents, and new initiatives. Our Board of Directors is responsible for understanding the primary risks to our business, including any cybersecurity risks. Our Board of Directors may receive periodic updates from our Chief Compliance Officer, our General Counsel, our Chief Operating Officer or from our Investment Adviser regarding the overall state of the Investment Adviser s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting our business.

Company Information