CAPITAL SOUTHWEST CORP 10-K Cybersecurity GRC - 2024-05-21

Page last updated on July 16, 2024

CAPITAL SOUTHWEST CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-21 16:37:40 EDT.

Filings

10-K filed on 2024-05-21

CAPITAL SOUTHWEST CORP filed a 10-K at 2024-05-21 16:37:40 EDT
Accession Number: 0000017313-24-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company maintains and, at least annually, reviews its information technology (“IT”) and cybersecurity policies and procedures (the “Cybersecurity Program”). The Cybersecurity Program is aligned to the National Institute of Standards of Technology Cybersecurity Framework. The Cybersecurity Program includes technical security controls, policy enforcement mechanisms, monitoring systems, tools and related services, which include tools and services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. Management has implemented and continues to implement risk-based controls designed to prevent, detect and respond to information security threats. As part of our overall cybersecurity risk management process, our management engages at least annually in the review and evaluation of our risks relating to our Cybersecurity Program. Additionally, as part of our Rule 38a-1 compliance program, we review at least annually the compliance policies and procedures of our key service providers, including documentation discussing each service providers’ information security controls. Any failure in our key service providers’ cybersecurity systems could have a material impact on our operating results. See “Risk Factors - Risks Related to our Business and Structure - A failure of cybersecurity systems, as well as the occurrence of events unanticipated in our disaster recovery systems and management continuity planning, could impair our ability to conduct business effectively.” Additionally, the Cybersecurity Program includes quarterly general cybersecurity awareness and data protection training for employees as well as regular phishing simulations. The Company also has annual certification requirements for employees with respect to certain policies supporting the cybersecurity program including the IT, Cybersecurity and Physical Security Policies and Procedures, the Disaster Recovery Business Continuity Plan, the Electronic Communications Policy and the Privacy Policy. Our Cybersecurity Program is administered by our Corporate Controller and our Chief Compliance Officer. These individuals, along with our external legal counsel and third party IT providers serve as the crisis response team in connection with any material cybersecurity incident under our Incident Response Plan. The Incident Response Plan provides guidelines for responding to a cybersecurity incident and facilitates coordination between the necessary parties. This includes notification to our senior management, and if material, reported to Board of Directors. We also utilize the services of IT and cybersecurity consultants and experts in the evaluation and periodic testing of our IT and cybersecurity systems to recommend improvements to our Cybersecurity Program. The Company maintains a cybersecurity insurance policy, which includes services of additional third party experts in the event of a cyber incident. The Company has not experienced any material cybersecurity incident, and the Company is not aware of any cybersecurity risks that are reasonably likely to materially affect its business. The Board has the primary responsibility for overseeing and reviewing the guidelines and policies with respect to risk management, including cybersecurity. The Board receives quarterly updates to the Cybersecurity Program from the Company’s management. These updates include the results of the cybersecurity risk assessments, the planning and results of the periodic testing by our third party IT and cybersecurity consultants, updates and enhancements to the Cybersecurity Program and the Incident Response Plan, and reporting of additional cybersecurity data metrics.

Company Information