North Haven Private Income Fund A LLC 10-K Cybersecurity GRC - 2025-03-04

Page last updated on March 4, 2025

North Haven Private Income Fund A LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-04 17:25:27 EST.

Filings

10-K filed on 2025-03-04

North Haven Private Income Fund A LLC filed a 10-K at 2025-03-04 17:25:27 EST
Accession Number: 0001973476-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity 61 Risk management and strategy The Company and the broader financial services industry face an increasingly complex and evolving threat environment. Morgan Stanley has made and continues to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead its Cybersecurity and Information Security organizations and program under the oversight of Morgan Stanley’s Board of Directors (the “MS Board”) and the Operations and Technology Committee of the MS Board (“BOTC”). As part of its enterprise risk management (“ERM”) framework, Morgan Stanley has implemented and maintains a program to assess, identify, and manage risks arising from the cybersecurity threats confronting the Firm (“Cybersecurity Program”). Morgan Stanley’s Cybersecurity Program helps protect the Firm’s clients, customers, employees, property, products, services, and reputation by seeking to preserve the confidentiality, integrity, and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of our technology systems, including as applicable to the Company and its unitholders. Morgan Stanley continually adjusts its Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations. The Adviser and the Administrator manage the Company’s day-to-day operations, and the Company uses the Cybersecurity Program to assess, identify and manage material cybersecurity risks affecting the Company and its operations. The Company’s business is dependent on the communications and information systems of Morgan Stanley, including but not limited to the Cybersecurity Program, and other third-party service providers. Processes for assessing, identifying, and managing material risks from cybersecurity threats Morgan Stanley’s Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to the Firm’s network, infrastructure, computing environment, and the third-parties Morgan Stanley relies on, including third parties relied on by the Company. Morgan Stanley periodically assesses the design of its cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology Cybersecurity (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity, as well as against global cybersecurity regulations, and develops improvements to those controls in response to those assessments. Morgan Stanley’s Cybersecurity Program also includes cybersecurity and information security policies, procedures, and technologies that are designed to address regulatory requirements and protect Morgan Stanley’s clients’, employees’ and own data, and the data of the Company and its officers and unitholders, against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. Morgan Stanley’s threat intelligence function within the Cybersecurity Program actively engages in private and public information sharing communities and leverages both commercial and proprietary products to collect a wide variety of industry and governmental information regarding the latest cybersecurity threats, which informs Morgan Stanley’s cybersecurity risk assessments and strategy, including as applicable to the Company. This information is also provided to an internal Morgan Stanley cyber threat detection team, which develops and implements strategies designed to defend against these cybersecurity threats across Morgan Stanley’s environment, including systems and applications that may be relied upon by the Company. Morgan Stanley’s vulnerability management team, as well as Morgan Stanley’s Non-Financial Risk function (“NFR”) review external cybersecurity incidents that may be relevant to the Firm and the Company, to further inform the design of the Cybersecurity Program. To assess the efficacy of Morgan Stanley’s controls and defenses designed to mitigate cybersecurity risk, it utilizes internal and external testing, including penetration testing and red team engagements. The results of these assessments are used to strengthen the Cybersecurity Program. Additionally, Morgan Stanley maintains a global training program covering cybersecurity risks and requirements, including heightened security training to specialized employees, and conducts regular phishing email simulations for its employees and consultants as preventative measures. When a threat is identified in Morgan Stanley’s environment, its incident response team follows an incident response plan to evaluate the impact to the Firm and coordinate appropriate remediation. If warranted, the cybersecurity incident will be reported to applicable regulators, authorities, impacted clients or counterparties, as appropriate. The Firm’s cybersecurity incident response and remediation processes, including assessing materiality and reporting requirements, are reviewed through tabletop exercises. Morgan Stanley’s processes are designed to help oversee, identify, and mitigate cybersecurity risks associated with its use of third-party vendors, including those vendors relied upon by the Company. Morgan Stanley maintains a third-party risk management program that includes evaluation of, and response to, cybersecurity risks at its third-party vendors, including those vendors relied upon by the Company. Prior to engaging third-party vendors to provide services to the Firm or the Company, Morgan Stanley conducts assessments of the third-party vendors’ cybersecurity program to identify the impact of their services on the cybersecurity risks to the Firm or, as relevant, the Company. Once on-boarded, third-party vendors’ cybersecurity programs are subject to risk-based oversight, which may include security questionnaires, submission of independent security audit reports or a Firm audit of the third-party vendor’s security program, and, with limited exceptions, third-party vendors are required to meet Morgan Stanley’s minimum cybersecurity standards. Where a third-party vendor cannot meet those standards, its services, and the residual risk to the Firm, are subject to review, challenge, and escalation through Morgan Stanley’s risk management processes and ERM committees, which may ultimately result in requesting increased security measures or ceasing engagement with such third-party vendor. 62 Morgan Stanley’s Cybersecurity Program is regularly assessed by the Morgan Stanley Internal Audit Department (“IAD”) through various assurance activities, with the results reported to the Audit Committee of the MS Board (“BAC”) and the BOTC and, as applicable to the Board of Directors of the Company. Annually, key elements of the Cybersecurity Program are subject to review by an independent third-party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the BOTC. The Cybersecurity Program is also examined regularly by the Firm’s prudential and conduct regulators within the scope of their jurisdiction. Governance Morgan Stanley and Company’s Management’s role in assessing and managing material risks from cybersecurity threats Morgan Stanley’s Cybersecurity Program is operated and maintained by its management, including the Chief Information Officer (“CIO”) of Cyber, Data, Risk and Resilience and the Chief Information Security Officer (“CISO”). These senior officers are responsible for assessing and managing the Firm’s cybersecurity risks, which includes cybersecurity risks faced by the Company. Morgan Stanley’s Cybersecurity Program strategy, which is set by the CISO and overseen by the Morgan Stanley’s Head of Operational Cyber, Technology, and Information Security Non-Financial Risk, (“Head of NFR CTIS”), is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. Morgan Stanley’s Cybersecurity Program also includes processes for escalating and considering the materiality of incidents that impact the Firm and the Company, including escalation to senior management of Morgan Stanley, the MS Board, and management of the Company. The Chief Compliance Officer (“CCO”) of the Company is responsible for overseeing the Company’s risk management function and generally relies on the CIO, CISO, and Head of NFR CTIS to assist with assessing and managing material risks from cybersecurity threats that are applicable to the Company. The CIO has over 30 years of experience in various engineering, information technology (“IT”), operations, and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management, and information security. The Head of NFR CTIS has over 20 years of experience in technology, security, and compliance roles, including experience in government security agencies. The Company’s CCO has worked in the financial services industry for 19 years and has covered business developments from a compliance perspective for over 10 years, during which time the Company’s CCO has gained expertise in assessing and managing risk applicable to the Company. Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees at Morgan Stanley. These committees include representatives from Firm management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to the Firm’s policies and procedures. Significant cybersecurity risks are escalated from these committees to Morgan Stanley’s Non-Financial Risk Committee. The CIO and the Head of NFR CTIS report on the status of Morgan Stanley’s Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to the Firm Risk Committee, the BOTC and the MS Board. To the extent any cybersecurity incidents relate to the Company, the status of such incidents and remedial actions will be reported to our Board. Board oversight of risks from cybersecurity threats Our Board provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. Our Board receives periodic updates from the CCO of the Company, the CIO/CISO and/or Operational Risk functions, regarding the overall state of Morgan Stanley’s Cybersecurity Program, information on the current threat landscape, and risks from cybersecurity threats and cybersecurity incidents impacting the Company. Material cybersecurity risks are addressed by Morgan Stanley management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Morgan Stanley board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures. In accordance with its charter, the BOTC receives quarterly reports from (i) Technology, including the CIO or the CISO; (ii) Operations; and (iii) NFR. Such reporting includes updates on Morgan Stanley’s Cybersecurity Program, risks from cybersecurity threats, our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and NFR’s assessment of cybersecurity risks. Senior officers in Technology and NFR also provide an annual report to the BOTC on the status of Morgan Stanley’s broader information security program in compliance with the Gramm-Leach-Bliley Act, which includes a discussion of risks arising from cybersecurity threats. At least annually, senior management representatives in Technology and NFR discuss the status of the Cybersecurity Program and key cybersecurity risks with the Morgan Stanley board and, in accordance with such board’s Corporate Governance Policies, all board members are invited to attend BOTC meetings and have access to meeting materials. The BOTC, which meets at least quarterly, also reviews and approves significant policies related to cybersecurity, receives an annual independent assessment of key aspects of Morgan Stanley’s Cybersecurity Program from an independent third party and holds joint meetings with the BAC and BRC, as necessary and appropriate. The chair of the BOTC regularly discusses cybersecurity 63 developments with senior Morgan Stanley management and reports to the Morgan Stanley board on cybersecurity risks and threats and other related matters. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company’s business strategy, operational results, and financial condition are regularly evaluated. During the fiscal year ended December 31, 2024, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition.

Company Information