Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

The Trust does not have any officers, directors or employees. The Sponsor, a subsidiary of BlackRock, is responsible for the oversight and overall management of the Trust. The Sponsor relies on BlackRock’s ERM framework for the Trust’s cybersecurity risk management and strategy. Key aspects of the ERM framework are summarized below. The board of directors of the Sponsor (the “Board of Directors”) periodically receives reports from BlackRock regarding BlackRock’s cybersecurity program.

As of December 31, 2024, cybersecurity risks have not materially affected the Trust’s objective, results of operations or financial condition.

BlackRock’s Enterprise Risk Management Framework

BlackRock recognizes the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. Cybersecurity represents an important component of BlackRock’s approach to ERM. BlackRock leverages a multi-lines-of-defense model with cybersecurity operational processes executed by global information security and other teams and dedicated internal audit technology and technology risk management (“TRM”) teams that independently review technology risks. BlackRock’s cybersecurity program is fully integrated into its ERM framework and is aligned with recognized frameworks, including NIST CSF, FFIEC CAT, FedRAMP, SOC 1/2, ISO 27001/2 and others. BlackRock aims to inform and continuously improve its cybersecurity program through engagement with regulatory, client, insurer, vendor, partner, peer, government and industry organizations and associations, as well as external audit, technology risk, information security and other assessments.

BlackRock seeks to address cybersecurity risks through a global, multilayered strategy of control programs that is designed to preserve the confidentiality, integrity and availability of the information that BlackRock collects and stores by identifying, preventing and mitigating cybersecurity threats and incidents. As one of the critical elements of BlackRock’s overall ERM framework, BlackRock’s cybersecurity program is focused on the following key areas:

●

Governance: As discussed in more detail under the heading “BlackRock’s Cybersecurity Governance” below, the oversight by BlackRock’s board of directors (“BlackRock’s Board”) of cybersecurity risk management is supported by BlackRock’s Risk Committee, which regularly interacts with BlackRock’s risk management function, BlackRock’s Chief Risk Officer (“CRO”) and Chief Information Security Officer (“CISO”), along with other members of management. In addition, technology and cybersecurity risks are formally overseen by a dedicated management risk governance committee, the Technology Risk and Cybersecurity Committee (“TRCC”), which is a sub-committee of the firmwide Enterprise Risk Committee (“ERC”).

●

Cross-Functional Approach: BlackRock has implemented a global, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing layered preventative, detective, reactive and recovery controls to identify and manage cybersecurity risks.

●

Safeguards: BlackRock deploys a range of people, process and technical controls that are designed to protect BlackRock’s information systems from cybersecurity threats, which may include, among others: physical security controls; perimeter controls, including technical assessments, firewalls, network segregation, intrusion detection and prevention; tabletop exercises, ongoing vulnerability and patch management; vendor due diligence; multi-factor authentication; device encryption; application security, code testing and penetration testing; endpoint security, including anti‑malware protection, threat intel and response, managed detection and response, security configuration management, portable storage device lockdown, restricted administrative privileges; employee awareness, training, and phishing testing; data loss prevention program and monitoring; information security incident reporting and monitoring; and layered and comprehensive access controls.

●

Incident Response and Recovery Planning: BlackRock has established and maintains incident response and recovery plans that address BlackRock’s response to a cybersecurity incident, including processes designed to assess, escalate, contain, investigate and remediate the incident, as well as to comply with applicable legal obligations and mitigate potential reputational damage. Such plans are evaluated on a periodic basis.

●

Third-Party Risk Management: BlackRock maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, counterparties and clients, as well as the systems of third parties that could significantly and adversely impact BlackRock’s business in the event of a cybersecurity incident affecting those third-party systems. Third-party risks are included within BlackRock’s ERM framework, and risk identification and mitigation are supported by BlackRock’s cybersecurity program. BlackRock also performs diligence on certain third parties and monitors cybersecurity threats and risks identified through such diligence.

●

Education and Awareness: BlackRock’s employees and contractors are required to complete an annual information security training to equip them with effective tools to address cybersecurity threats, and to receive communications on BlackRock’s evolving information security policies and procedures.

BlackRock’s global information security team, in collaboration with the technology risk and internal audit teams, engages in the periodic assessment and testing of BlackRock’s cyber risks and cybersecurity program. These efforts may include a wide range of activities, including audits, assessments, wargames and “tabletop” exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. BlackRock also participates in financial services industry and government forums in an effort to improve both internal and sector cybersecurity defense. BlackRock regularly engages third parties and advisors to assess its cybersecurity control environment. The results of certain program and control assessments are reported to BlackRock’s Risk Committee, and BlackRock adjusts its cybersecurity program as appropriate based on the information provided by these assessments.

As of December 31, 2024, cybersecurity risks have not materially affected BlackRock’s business strategy, results of operations or financial condition.

Cybersecurity Risk Management Processes Integrated [Text Block]

BlackRock seeks to address cybersecurity risks through a global, multilayered strategy of control programs that is designed to preserve the confidentiality, integrity and availability of the information that BlackRock collects and stores by identifying, preventing and mitigating cybersecurity threats and incidents.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

BlackRock’s Cybersecurity Governance

BlackRock’s Board is actively engaged in the oversight of BlackRock’s risk management program. BlackRock’s Risk Committee assists BlackRock’s Board with its oversight of BlackRock’s levels of risk, risk assessment, risk management and related policies and processes, including risks arising from cybersecurity threats. BlackRock’s Risk Committee receives regular reports on BlackRock’s cybersecurity program, technology resilience risk management and related developments from members of our information security team, including the CISO. BlackRock’s Board and BlackRock’s Risk Committee also receive information regarding cybersecurity incidents that meet certain reporting thresholds. On an annual basis, senior members of BlackRock’s technology, risk and information security teams provide a comprehensive overview of BlackRock’s cyber risk and related programs to a joint session of BlackRock’s Board’s Risk and Audit Committees.

Technology and cybersecurity risks at BlackRock are also overseen by the TRCC, a dedicated management risk governance committee and sub‑committee of the firmwide ERC. The chair of the TRCC is appointed by the head of Enterprise Risk Management at BlackRock and its members include the CISO as well as a broad range of senior business stakeholders across BlackRock. The TRCC is responsible for oversight of BlackRock’s technology and cybersecurity risk management practices and helps ensure that technology and cybersecurity risks remain within firmwide risk tolerances and technology and cybersecurity risk issues are escalated as appropriate to the ERC and other committees. The TRCC also reviews any relevant technology and cybersecurity risk related issues and helps ensure that they are appropriately escalated, reported, and remediated.

BlackRock’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by BlackRock’s CISO. As of December 31, 2024, the CISO had over 30 years of experience in information technology with a 25-year concentration in information security, including previously serving as the CISO at several global financial institutions, and held the Certified Information Systems Security Professional certification. The CISO works closely with the leadership team and other subject matter experts in the global cybersecurity group, who collectively have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and overseeing cybersecurity controls in technology risk and audit functions, as well as having relevant degrees and industry-leading certifications.

The CISO and members of the TRCC monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management processes described above, including the operation of BlackRock’s incident response plan.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Technology and cybersecurity risks at BlackRock are also overseen by the TRCC, a dedicated management risk governance committee and sub‑committee of the firmwide ERC. The chair of the TRCC is appointed by the head of Enterprise Risk Management at BlackRock and its members include the CISO as well as a broad range of senior business stakeholders across BlackRock. The TRCC is responsible for oversight of BlackRock’s technology and cybersecurity risk management practices and helps ensure that technology and cybersecurity risks remain within firmwide risk tolerances and technology and cybersecurity risk issues are escalated as appropriate to the ERC and other committees. The TRCC also reviews any relevant technology and cybersecurity risk related issues and helps ensure that they are appropriately escalated, reported, and remediated.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

BlackRock’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by BlackRock’s CISO. As of December 31, 2024, the CISO had over 30 years of experience in information technology with a 25-year concentration in information security, including previously serving as the CISO at several global financial institutions, and held the Certified Information Systems Security Professional certification. The CISO works closely with the leadership team and other subject matter experts in the global cybersecurity group, who collectively have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and overseeing cybersecurity controls in technology risk and audit functions, as well as having relevant degrees and industry-leading certifications.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true