WhiteHorse Finance, Inc. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

WhiteHorse Finance, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 07:32:29 EST.

Filings

10-K filed on 2025-03-07

WhiteHorse Finance, Inc. filed a 10-K at 2025-03-07 07:32:29 EST
Accession Number: 0001558370-25-002455

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity WhiteHorse Finance, Inc. (the “Company,” “we,” “us,” or “our”) maintains structured processes to proactively assess, identify, manage, and mitigate material risks from cybersecurity threats. The Company’s business remains dependent on the communications and information systems of WhiteHorse Advisers, LLC (the “Investment Adviser”) and other third-party service providers. The Investment Adviser manages the Company’s day-to-day operations and has implemented a cybersecurity program that applies to the Company and its operations and is subject to periodic updates, reviews, and independent assessments . Cybersecurity Program Overview The Investment Adviser has instituted a cybersecurity program designed to identify, assess, and manage cyber risks applicable to the Company. The program is aligned with the NIST CSF 2.0 framework, providing a structured approach to identify, protect against, detect, respond to, and recover from cybersecurity threats. The cyber risk management program involves risk assessments, implementation of security measures, and ongoing monitoring of systems and networks, including networks on which the Company relies. In addition, the Investment Adviser actively monitors the current threat landscape to identify material risks arising from new and evolving cybersecurity threats, including material risks faced by the Company. The Company relies on the Investment Adviser to engage external experts, including cybersecurity assessors, consultants, and auditors, to evaluate cybersecurity measures and risk management processes, including those applicable to the Company. The Company relies on the Investment Adviser’s risk management program and processes, which include cyber risk assessments. The Company depends on and engages various third parties, including suppliers, vendors, and service providers, to operate its business. The Company, in coordination with the Investment Adviser’s risk management, legal, information technology, and compliance teams, conducts ongoing due diligence on third-party service providers (including contractual provisions and regular compliance attestations) to ensure they meet requisite cybersecurity standards. For critical vendors, the Company requires SOC 2 Type II reports or similar independent cybersecurity assessments. In lieu of these reports, vendors may provide compensating materials demonstrating the structure and management of their cybersecurity programs. Board Oversight of Cybersecurity Risks The board of directors of the Company (the " Board “) provides strategic oversight on cybersecurity matters, including risks associated with cybersecurity threats. The Board receives periodic updates from the Chief Information Security Officer (“CISO”) of the Investment Adviser and Chief Compliance Officer (“CCO”) of the Company regarding the overall state of the Investment Adviser’s cybersecurity program, information on the current threat landscape, and briefing on material risks from cybersecurity threats and material cybersecurity incidents impacting the Company. The full Board is collectively responsible for oversight of cybersecurity matters and is updated at every Board meeting. In these updates, the Company’s management and the Investment Adviser’s CISO provide reports on key metrics such as vulnerability scan results, third-party risk assessments, and incident response readiness. The Board also ensures its members receive periodic training or engage external advisors with cybersecurity expertise to strengthen oversight capabilities. Management’s Role in Cybersecurity Risk Management The Company’s management, including the Company’s CCO and the CISO of the Investment Adviser , manages the Company’s cybersecurity program, under the supervision of the Company’s Chief Executive Officer. The CCO of the Company oversees the Company’s risk management function generally and relies on the Investment Adviser’s CISO to assist with assessing and managing material risks from cybersecurity threats. The Investment Adviser’s CISO has 23 years of experience actively managing cybersecurity and information security programs for financial services companies with complex and evolving information systems. The Company’s CCO has been responsible for this oversight function as CCO of the Company for 10 years and has worked in the financial services industry for over 20 years, during which time the CCO of the Company has gained expertise in assessing and managing risks applicable to the Company. Management of the Company, in coordination with the Investment Adviser, actively monitors cybersecurity incident prevention, detection, mitigation, and remediation efforts. The CCO of the Company and the CISO of the Investment Adviser jointly lead the incident response process and escalate incidents to the Board in accordance with established escalation protocols, typically within 48 hours after determining that a cybersecurity incident reaches materiality thresholds requiring Board notification . Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats on the Company is assessed on an ongoing basis, including how such risks may materially affect the Company’s business strategy, operational results, and financial condition are regularly evaluated. Management of the Company uses both internal and external inputs-such as threat intelligence feeds, penetration test reports, and third-party cybersecurity assessments-to update these risk evaluations. During the reporting period, the Company had not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition. Although there have been no identified material incidents to date, Management of the Company periodically reviews even non-material incidents and near misses to evaluate risk trends and improve response processes. In the event a cybersecurity incident is deemed potentially material, the Company’s incident response plan requires immediate notification to the CCO of the Company, CISO of the Investment Adviser, and the Board, followed by regular status updates until resolution.

Company Information