Varagon Capital Corp 10-K Cybersecurity GRC - 2025-03-21

Page last updated on March 21, 2025

Varagon Capital Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-21 16:53:25 EDT.

Filings

10-K filed on 2025-03-21

Varagon Capital Corp filed a 10-K at 2025-03-21 16:53:25 EDT
Accession Number: 0000950170-25-043295

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company’s cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats. The Company’s business depends on the communications and information technology systems that it shares with Man Group, which has a majority interest in Varagon, the parent company of the Adviser. The Company also relies on the cybersecurity policies and procedures implemented by Man Group. Man Group has processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These include a wide variety of controls, processes, systems, and tools that are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting our data. Pursuant to Man Group’s Information Security Policy (the “Information Security Policy”) and Man Group Cybersecurity Policy (“the “Cybersecurity Policy”), the Man Group’s Information Security team and the Chief Information Security Officer (’the “CISO”) are responsible for the ongoing and regular monitoring of the Information Security Policy and the Cybersecurity Policy to ensure that they are operating in a manner reasonably calculated to prevent unauthorized access to, or unauthorized use of, non-public information. Man Group has engaged and may engage, from time to time, assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks, subject to the continued oversight of Man Group. The CISO and man Group’s Information Security team are responsible for identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing non-public information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including those pertaining to the Company. Additionally, Man Group uses systems and processes designed to reduce the impact of a security incident at a third-party service provider. As part of its risk management process, Man Group also maintains a cyber incident response plan that provides guidance for assessing cybersecurity incidents and is utilized when cybersecurity incidents impacting the Company or the Adviser are detected. Man Group also requires that all employees, including employees of the Adviser, complete periodic information security training, including new hire training, regular compliance training, and periodic informal training pertaining on specific areas of concern. Material Impact of Cybersecurity Risks As of the date of this Annual Report on Form 10-K, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, future incidents could have a material impact on its business. Additional information about cybersecurity risks the Company faces is described in Item 1A of Part I, “Risk Factors,” under the heading “Cybersecurity Risks,” which should be read in conjunction with the information above. Governance The Company’s cybersecurity risks and associated mitigations are evaluated by the Company’s management and the CISO periodically, but no less frequently than annually. Management and representatives of Varagon and Man Group periodically report to the Board on information security and cybersecurity matters. Reports include, among other things, the overall state of the Company’s cybersecurity program, information on the current threat landscape, oversight of third-party service providers and related cybersecurity threats, and management’s evaluation of material cybersecurity risks to the Company. 61 TABLE OF CONTENTS

Company Information