MSC INCOME FUND, INC. 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

MSC INCOME FUND, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 11:38:14 EDT.

Filings

10-K filed on 2025-03-20

MSC INCOME FUND, INC. filed a 10-K at 2025-03-20 11:38:14 EDT
Accession Number: 0001535778-25-000073

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Main Street and our Adviser maintain, and routinely review and evaluate their and the Company’s information technology (“IT”) and cybersecurity policies, practices and procedures (the “Cybersecurity Program”), which includes processes for assessing, identifying and managing material risks from cybersecurity threats. The Cybersecurity Program has various policies and procedures including a Cyber Incident Response Plan as part of Main Street’s Crisis Management Plan. The Cybersecurity Program is administered by Main Street’s IT Manager, who is managed on a day-to-day basis by Main Street’s General Counsel and overseen by Main Street’s IT Steering Committee consisting of Main Street’s Chief Executive Officer, Main Street’s Chief Operating Officer and Main Street’s General Counsel. Main Street’s General Counsel also serves as the crisis response team leader in connection with any material cybersecurity incident under the Cyber Incident Response Plan, with Main Street’s Chief Operating Officer and Main Street’s IT Manager also included on the crisis response team. Main Street and our Adviser also utilize the services of IT and cybersecurity advisers, consultants and experts in the evaluation and periodic testing of Main Street’s IT and cybersecurity systems, to recommend improvements to the Cybersecurity Program and in connection with any cybersecurity incident. Main Street’s IT Manager has over 10 years of experience advising on and managing risks from cybersecurity threats as well as developing and implementing cybersecurity systems, policies and procedures. Main Street’s General Counsel has served in his oversight function as General Counsel for over 16 years and previously as Main Street’s Chief Compliance Officer for over 12 years, during which time he has gained expertise in assessing and managing risk applicable to the Company. Similarly, each of Main Street’s Chief Executive Officer and our Main Street’s Chief Operating Officer have served in various executive management roles at the Company and, in the case of our Main Street’s Chief Operating Officer, other publicly traded organizations, involving extensive oversight and management of risks, including cybersecurity related risks, for over 20 years . As part of our overall risk management process, our management engages at least annually in an enterprise risk management review and evaluation, during which management reviews the principal risks relating to our business and operations. Included in this process is a review and evaluation of our risks relating to the Cybersecurity Program. Additionally, as part of our Rule 38a-1 compliance program, we review at least annually the compliance policies and procedures of our key service providers, including our Adviser and Main Street, including documentation discussing each service providers’ information security and privacy controls. Any failure in our or our key service providers’ cybersecurity systems could have a material impact on our operating results. See Item 1A. Risk Factors - General Risk Factors - The failure in cybersecurity systems, as well as the occurrence of events unanticipated in our and our Adviser’s disaster recovery systems and management continuity planning could impair our ability to conduct business effectively. Our Board as a whole has responsibility for the Company’s risk oversight, with reviews of certain areas being conducted by the relevant Board committees that report on their deliberations to the full Board. The oversight responsibility of the Board and its committees is enabled by management reporting processes that are designed to provide visibility to the Board about the identification, assessment and management of critical risks and management’s risk mitigation strategies. Oversight of risks relating to IT and cybersecurity has been delegated by our Board to its Audit Committee. The Audit Committee includes members of the Board who, in addition to each being designated as an “audit committee financial expert,” possess backgrounds and experience which we believe enable them to provide effective oversight of our IT and cybersecurity risks. Our management routinely reports to the Audit Committee on the status of the Cybersecurity Program and material risks from cybersecurity threats at the Audit Committee’s quarterly meetings. Such reports generally 42 Table of contents detail any testing, observations or developments concerning the Cybersecurity Program that occurred during the prior quarter. The results of periodic testing related to the Cybersecurity Program are also described in the Chief Compliance Officer’s annual report to the Board, provided pursuant to Rule 38a-1 under the 1940 Act. The crisis response team leader also collaborates with the Audit Committee chair to ensure that the Board is apprised of any material cybersecurity incident. During the reporting period, the Company has not identified any impacts from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results and financial condition.

Company Information