Blue Owl Capital Corp 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

Blue Owl Capital Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:32:46 EST.

Filings

10-K filed on 2025-02-19

Blue Owl Capital Corp filed a 10-K at 2025-02-19 16:32:46 EST
Accession Number: 0001655888-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Processes and Risk Assessment We rely on the cybersecurity program implemented by Blue Owl, the indirect affiliate of our Adviser. Blue Owl has implemented a cybersecurity program , which is focused on (i) protecting confidential business, client, investor and employee information; (ii) maintaining the security and availability of its systems and data; (iii) supporting compliance with applicable laws and regulations; (iv) documenting cybersecurity incidents and its responses; and (v) notification of cybersecurity incidents to, and communications with, appropriate internal and external parties. Blue Owl has implemented an information security governance policy (the “ISG Policy”) governing cybersecurity risk, which is designed to facilitate the protection of sensitive or confidential business, client, investor and any employee information that it stores or processes and the maintenance of critical services and systems. Blue Owl’s cybersecurity program is managed by Blue Owl’s Chief Technology Officer and Head of Technology Infrastructure (together, “Blue Owl IT Management”), who report to Blue Owl’s Chief Operating Officer. Blue Owl IT Management and its team are responsible for implementing proactive and reactive measures, including Blue Owl’s monitoring and alert response processes, vulnerability management, changes made to its critical systems, including software and network changes, and various other technological and administrative safeguards. Blue Owl’s cybersecurity processes and systems are designed to protect against unauthorized access of information, including by cyber-attacks, and Blue Owl’s policy and processes include, as appropriate, encryption, data loss prevention technology, authentication technology, entitlement management, access control, anti-virus and anti-malware software, and transmission of data over private networks. Blue Owl’s processes and systems aim to prevent or mitigate two main types of cybersecurity risk: first, cybersecurity risks associated with its physical and digital devices and infrastructure, and second, cybersecurity risks associated with third parties, such as people and organizations who have access to its devices, infrastructure or confidential or sensitive information. The cybersecurity-control principles that form the basis of Blue Owl’s cybersecurity program are informed by the National Institute of Standards and Technology Cybersecurity Framework. Blue Owl’s cybersecurity program includes review and assessment by third parties of the cybersecurity processes and systems. These third parties assess and report on Blue Owl’s compliance with applicable laws and regulations and its internal incident response preparedness, including benchmarking to best practices and industry frameworks and help identify areas for continued focus and improvement. Annual penetration testing of its network, including critical systems and systems that store confidential or sensitive information, is conducted with third party consultants and vulnerabilities are reviewed and addressed by Blue Owl IT Management. When Blue Owl engages vendors and other third party partners who will have access to sensitive data or client systems and facilities, its infrastructure technology team assesses their cybersecurity programs and processes. Blue Owl also provides its employees with cybersecurity awareness training at onboarding and annually, as well as interim security reminders and alerts. Blue Owl conducts regular phishing tests and provides additional training as appropriate. Blue Owl has a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors. This assessment is conducted on the basis of, among other factors, the types of services provided and the extent and type of data accessed or processed by a third-party vendor. Governance and Oversight of Cybersecurity Risks Blue Owl has developed an incident response framework to identify, assess, manage and report cybersecurity events, which is managed and implemented by Blue Owl’s Cyber Risk Operating Committee (the “C-ROC”), a cross-functional management committee that includes its General Counsel, Chief Operating Officer, Chief Compliance Officer and Blue Owl IT Management . The incident response framework determines when the C-ROC should provide notifications regarding certain cybersecurity incidents, with different severity thresholds triggering notifications to different recipient groups, including senior members of Blue Owl’s management, Blue Owl’s Audit Committee or Blue Owl’s Board of Directors. The C-ROC is responsible for gathering information with respect to a cybersecurity incident, assessing its severity and potential responses, as well as communicating with business heads and senior management, as appropriate. This framework contemplates conducting simulated cybersecurity incident response exercises with members of senior management on an interim basis in coordination with external cyber counsel. Blue Owl’s cybersecurity program, which is overseen by the C-ROC, is managed by IT Management as part of its responsibility for enterprise-wide cybersecurity strategy, policies, implementing Blue Owl’s monitoring and alert response processes, vulnerability management, changes made to our critical systems, including software and network changes and various other technological and administrative safeguards The team is led by Blue Owl’s Chief Technology Officer, who has over 25 years of experience advising on technology strategy, including digital transformation, cybersecurity, business analytics and infrastructure, and Blue Owl’s Head of Technology Infrastructure, who has over 20 years of experience in the information technology field with a focus on IT risk governance and management, information security, incident response capabilities and assessing effectiveness of controls. The C-ROC meets regularly and forms cross-enterprise teams, as needed, to manage and implement key policies and initiatives of Blue Owl’s cybersecurity program. 77 The Audit Committee is primarily responsibility for oversight and review of guidelines and policies with respect to risk assessment and risk management. Blue Owl’s Chief Technology Officer periodically reports to the Audit Committee as well as the full Board, as appropriate, on cybersecurity matters. Such reporting includes updates on Blue Owl’s cybersecurity program, the external threat environment and Blue Owl’s programs to address and mitigate the risks associated with the evolving cybersecurity threat environment. These reports also include updates on Blue Owl’s preparedness, prevention, detection, responsiveness and recovery with respect to cyber incidents. Impact of Cybersecurity Risks In 2024, we did not experience a material cybersecurity incident, and we are not aware of any cybersecurity risks that are reasonably likely to materially affect our business. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, we describe whether and how future incidents could have a material impact on our business strategy, results of operations or financial condition in " ITEM 1A. Risk Factors - Internal and external cybersecurity threats and risks, as well as other disasters, may adversely affect our business or the business or our portfolio companies by impairing the ability to conduct business effectively ." and " Increased data protection regulation may result in increased complexities and risk in connection with the operation of our business. "


Company Information

NameBlue Owl Capital Corp
CIK0001655888
SIC Description
TickerOBDC - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30