Star Mountain Lower Middle-Market Capital Corp 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Star Mountain Lower Middle-Market Capital Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 21:32:48 EDT.

Filings

10-K filed on 2024-03-29

Star Mountain Lower Middle-Market Capital Corp filed an 10-K at 2024-03-29 21:32:48 EDT
Accession Number: 0001140361-24-016720

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Assessment, Identification and Management of Material Risks from Cybersecurity The Company has processes in place to assess, identify, and manage material risks from cybersecurity threats. The Company relies on the cybersecurity strategy and policies implemented by the Administrator, which manages the Company s day-to-day operations. Cybersecurity Program Overview The Administrator has instituted a cybersecurity program aligned to the National Institute of Standards and Technology Cybersecurity Framework and designed to identify, assess, and manage cyber risks applicable to the Company. The Administrator s cybersecurity program prioritizes detection and analysis of and response to known, anticipated or unexpected threats, effective management of security risks and resilience against cyber incidents. The Administrator s cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and oversight to assess, identify and manage risks from cybersecurity threats, including those applicable to the Company. The Administrator has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats and the Company relies on such controls. The Administrator s cybersecurity program includes physical, administrative and technical safeguards, as well as plans and procedures designed to help the Company prevent and respond to cybersecurity threats and incidents, including threats or incidents that may impact the Company. The Administrator s cybersecurity risk management processes seek to monitor cybersecurity vulnerabilities and potential attack vectors, evaluate the potential operational and financial effects of any threat and mitigate such threats. The assessment of cybersecurity risks, including those which may be applicable to the Company, is integrated into the Administrator s overall risk management program. The Company relies on the Administrator to engage with third-party consultants and key vendors to assist it in assessing, enhancing, implementing and monitoring its cybersecurity measures and risk management processes and responding to incidents. The Administrator s cybersecurity risk management and awareness programs include identification and testing of vulnerabilities, phishing simulations and general cybersecurity awareness and data protection training, including for employees of our investment adviser and our administrator. The Administrator undertakes periodic internal security reviews of its information systems and related controls applicable to the Company. The Administrator also completes external reviews of the cybersecurity program and practices applicable to the Company, which may include assessments of relevant data protection practices and targeted attack simulations. The Administrator has developed an incident response plan that provides guidelines for responding to cybersecurity incidents. The incident response plan includes notification to the applicable members of the Administrator s cybersecurity leadership, including the Administrator s Chief Technology Officer. Incidents may also be reported to the audit committee or full board of directors of the Administrator, as well as to the Audit Committee (the Audit Committee ) of the Company s Board of Directors (the Board ) or the full Board, if appropriate. The Company depends on and engages various third parties, including suppliers, vendors, and service providers, to operate its business. The Company relies on the expertise of risk management, legal, information technology, and compliance personnel of the Administrator when identifying and overseeing risks from cybersecurity threats associated with our use of such entities. Board Oversight of Cybersecurity Risks The Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from the Company s Chief Compliance Officer ( CCO ) regarding the overall state of the Administrator s cybersecurity program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. Management s Role in Cybersecurity Risk Management The Company s management, including the Company s CCO, and the Chief Technology Officer of the Administrator, manage the Company s cybersecurity program. The CCO of the Company oversees the Company s oversight function generally and relies on the Administrator s Chief Technology Officer to assist with assessing and managing material risks from cybersecurity threats. The Administrator s Chief Technology Officer has twenty years of experience in actively managing cybersecurity and information security programs for financial services companies with complex information systems. The CCO has been responsible for this oversight function as CCO to the Company for over a year and has worked in the financial services industry for more than six years, during which time the CCO has gained expertise in assessing and managing risk applicable to the Company. Management of the Company is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company, including through the receipt of notifications from service providers and reliance on communications with risk management, legal, information technology, and/or compliance personnel of the Administrator. For example, the Company s CCO consults with the Administrator s Chief Technology Officer on a routine basis and provides periodic updates to the Company s Board and/or senior officers regarding cybersecurity risks and cybersecurity incidents that could reasonably have a material impact on the Company. 37 Table of Contents Material Impact of Cybersecurity Risks The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company s business strategy, operational results, and financial condition are regularly evaluated. During the reporting period, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.

Company Information