GLADSTONE INVESTMENT CORPORATIONDE 10-K Cybersecurity GRC - 2024-05-08

Page last updated on July 16, 2024

GLADSTONE INVESTMENT CORPORATIONDE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-08 16:07:54 EDT.

Filings

10-K filed on 2024-05-08

GLADSTONE INVESTMENT CORPORATION\DE filed a 10-K at 2024-05-08 16:07:54 EDT
Accession Number: 0001321741-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our Adviser and our Administrator have implemented ongoing processes that are designed to continually identify, assess, manage, monitor and mitigate the dynamic and evolving material risks to us from cybersecurity threats. Our Adviser’s and Administrator’s resource management and compliance departments work in conjunction with an independent third-party information technology service provider (“ISP”) engaged by our Adviser to manage our information technology strategy. The ISP regularly performs cyber assessments and assists in maintaining our cyber and information security programs. The ISP proposes recommendations for improvements to our Adviser’s resource management and compliance departments, which then are considered by other officers and employees of our Adviser and Administrator before implementation. In addition, regular ongoing cybersecurity threat risk assessments, which also cover third-party business applications, are performed throughout the year and reported to our officers and Board of Directors by our Chief Compliance Officer (“CCO”) no less than quarterly. Cybersecurity risks are assessed in general as part of the overall enterprise risk management for us, but also specifically between the ISP and our Adviser and Administrator in monitoring and determining not only the risks but also in assessing corresponding processes and procedures to mitigate those risks appropriately. Our ISP constantly monitors information technology risk and cybersecurity threats globally. When risks are detected, we, through our Adviser and Administrator, consults with the ISP to assess if the risk is a cybersecurity threat to our information technology systems or data. If a risk to our information systems or data is identified, we, through our Adviser and Administrator, work in conjunction with the ISP to implement recommended processes, improvements, or safeguards to our systems or processes to address the risks as needed. Relevant examples of such efforts include but are not limited to: - implementation of industry leading Cloud solutions and business applications which possess integrated cybersecurity safeguards; - anti-malware, antivirus and threat detection software; - ransomware containment and isolation software; - enhanced password requirements and multifactor authentication requirements; - endpoint encryption; - intrusion detection and response system conduct file integrity monitoring; - email archiving, firewalls, and quarantine capabilities; - mobile device management of business applications; - frequent systems backups with recovery capabilities; and - regular vulnerability scans and penetration testing. Contractually, we require the ISP to annually provide a third-party report on its systems and on the suitability of the design and operating effectiveness of its controls relevant to information and cyber security. In addition to the ongoing dialogue and technology interaction between our Adviser and Administrator and the ISP, any significant findings in these reports are shared with us, including our Board of Directors and other officers, to enhance ongoing monitoring and assessment of our information technology and cybersecurity risk management. Our Adviser and Administrator also regularly trains employees working on our behalf on the evolving threats and educates them on cybersecurity risks to provide an additional protection barrier through end-user knowledge. Notwithstanding our risk management and strategy described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. We are not currently aware of any known cybersecurity risks that may materially impact our operations and we may not be able to determine the likelihood of such risks. See " Risk Factors - Cybersecurity risks and cyber incidents may adversely affect our business by causing a disruption to our operations, or the operations of businesses in which we invest, a compromise or corruption of our confidential information and/or damage to our business relationships, all of which could negatively impact our business, financial condition and operating results. " for a discussion of risks related to cybersecurity and cyber incidents. Governance Our Board of Directors is actively engaged in overseeing our cybersecurity and information security program. Our Board of Directors receives regular reports during board meetings from our CCO on our and our Adviser’s and Administrator’s efforts concerning information security and addressing information technology and cybersecurity risks, no less than quarterly, and regularly receives updates from third parties on various business risks, which include cybersecurity matters. The reports are distributed to our Board of Directors, and our CCO engages in detailed discussions with the independent board members during the independent members’ session. The reports cover potentially material cybersecurity threats facing us, as well as key risks and mitigation efforts undertaken by us and our Adviser and Administrator. As significant threats or events are identified by management or the ISP between regular reporting periods, our CCO will inform our Board of Directors immediately and keep it informed as to the developments of assessing the risks, mitigating efforts, and potential disclosure. Appropriate members of management and third party providers will be involved as deemed necessary based on the potential impact. Our Head of Resources Management, who is also a member of our Board of Directors, and our CCO lead our cybersecurity program. Our Head of Resources Management has more than 30 years of overall experience and more than 20 years directly assessing and managing our cyber information technology and human resources systems, and the associated security concerns. Our CCO has more than 30 years of overall experience as a CPA, with more than 15 years managing information technology systems and databases, and more than 15 years supporting our Adviser’s and Administrator’s resource management department. This includes identifying, assessing, mitigating, and monitoring cyber information security risks. These managers, as well as other management personnel, attend various professional continuing education programs, which include cybersecurity matters. Certain members of our Board of Directors have, or previously held, positions with other companies, including other public companies, that involved managing risks associated with their cyber and information technology systems.

Company Information