|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
As an externally managed company, our day-to-day operations are managed by our Adviser and our executive officers under the oversight of our board of directors. Our executive officers are senior professionals of our Adviser and our Adviser is a subsidiary of J.P. Morgan. As such, we are reliant on J.P. Morgan for assessing, identifying and managing material risks to our business from cybersecurity threats.
Overview
Cybersecurity risk is an important and continuously evolving focus for us, the Adviser, J.P. Morgan, and its affiliates. Significant resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology. The Adviser’s security efforts are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access to confidential information, the destruction of data, disruptions to or degradation of service, sabotaging systems or other damage.
The Adviser, J.P. Morgan, and its affiliates have experienced, and expect to continue to experience, a higher volume and complexity of cyber attacks against the backdrop of heightened geopolitical tensions. J.P. Morgan has implemented measures and controls reasonably designed to address this evolving environment, including enhanced threat monitoring. In addition, J.P. Morgan continues to review and enhance its capabilities to address associated risks, such as those relating to the management of administrative access to systems.
Third parties with which we, the Adviser, J.P. Morgan and its affiliates do business, that facilitate our, the Adviser’s, J.P. Morgan’s, and its affiliates’ business activities (e.g., vendors, supply chain, exchanges, clearing houses, central depositories, and financial intermediaries) or that J.P. Morgan has acquired are also sources of cybersecurity risk to us. Third party incidents such as system breakdowns or failures, misconduct by the employees of such parties, or cyber attacks, including ransomware and supply-chain compromises, could have a material adverse effect on J.P. Morgan, including in circumstances in which an affected third party is unable to deliver a product or service to us or the Adviser, where the incident delivers compromised software to J.P. Morgan or results in lost or compromised information of J.P. Morgan or its clients or customers.
Clients and customers are also sources of cybersecurity risk to us, the Adviser, J.P. Morgan and its affiliates and its information assets, particularly when their activities and systems are outside of J.P. Morgan’s own security and control systems. J.P. Morgan engages in periodic discussions with its clients, customers and other external parties concerning cybersecurity risks including opportunities to improve cybersecurity.
Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected us or our business strategy, results of operations or financial condition. Notwithstanding the comprehensive approach that J.P. Morgan takes to address cybersecurity risk, J.P. Morgan may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on us, the Adviser, J.P. Morgan or its affiliates or its business strategy, results of operations or financial condition.
Organization and Management
The Global Chief Information Security Officer (“CISO”) reports to the Global Chief Information Officer, and is a member of key cybersecurity governance forums. The CISO leads the Global Cybersecurity and Technology Controls organization, which is responsible for identifying technology and cybersecurity risks and for implementing and maintaining controls to manage cybersecurity threats. The CISO and the members of senior management within Global Technology and the Cybersecurity and Technology Controls organizations all have relevant expertise and experience in cybersecurity and information technology risk management, including relevant experience at J.P. Morgan, at other financial services companies or in other highly-regulated industries.
The CISO is responsible for J.P. Morgan’s Information Security Program, which is designed to prevent, detect and respond to cyber attacks in order to help safeguard the confidentiality, integrity and availability of J.P. Morgan’s infrastructure, resources and information. The program includes managing J.P. Morgan’s global cybersecurity operations centers, providing training, conducting cybersecurity event simulation exercises, implementing J.P. Morgan’s policies and standards relating to technology risk and cybersecurity management, and enhancing, as needed, J.P. Morgan’s cybersecurity capabilities.
J.P. Morgan’s Information Security Program includes the following functions:
•
Cyber Operations, which is responsible for implementing and maintaining controls designed to detect and defend us, the Adviser, J.P. Morgan, and its affiliates against cyber attacks, and includes a dedicated function for incident response and ongoing monitoring for cybersecurity threats and vulnerabilities, including those among our, the Adviser's, J.P. Morgan's and its affiliates' third-party suppliers.
•
Technology Governance, Risk & Controls, which is responsible for operationalizing technology risk and control frameworks, analyzing regulatory developments that may impact J.P. Morgan, and developing control catalogs and assessments of controls, as well as overseeing governance and reporting of technology and cybersecurity risk.
•
Security Awareness, which provides awareness and training that reinforces information risk and security management practices and compliance with J.P. Morgan 's policies, standards and practices. The training is mandatory for all employees globally on a periodic basis, and it is supplemented by firmwide testing initiatives, including periodic phishing tests. J.P. Morgan also provides specialized security training to employees in specific roles, such as application developers. J.P. Morgan’s Global Privacy Program requires all employees to take periodic training on data privacy that focuses on confidentiality and security, as well as responding to unauthorized access to or use of information.
•
Technology Resiliency, which establishes control requirements for planning and testing the prioritized recovery of technology services in the event of degradation or outage, including incident response planning, data backup and retention, and recovery readiness in support of the J.P. Morgan’s Business Resiliency Program and operational risk management practices.
J.P. Morgan has a cybersecurity incident response plan designed to enable J.P. Morgan to respond to attempted cybersecurity incidents, coordinate as appropriate with law enforcement and other government agencies, notify clients and customers, as applicable, and recover from such incidents. In addition, J.P. Morgan actively partners with appropriate government and law enforcement agencies and peer industry forums, participating in discussions and simulations to assist in understanding the full spectrum of cybersecurity risks and in enhancing defenses and improving resiliency in J.P. Morgan’s operating environment.
Governance and Oversight
The governance structure for the Global Cybersecurity and Technology Controls organization is designed to appropriately identify, escalate and mitigate cybersecurity risks. Cybersecurity risk management and its governance and oversight are integrated into J.P. Morgan’s operational risk management framework, including through the escalation of key risk and control issues to management and the development of risk mitigation plans for heightened risk and control issues. Independent Risk Management (“IRM”) independently assesses and challenges the activities and risk management practices of the Global Cybersecurity and Technology Controls organization related to the identification, assessment, measurement and mitigation of cybersecurity risk. As needed, J.P. Morgan engages third-party assessors or auditing firms with industry-recognized expertise on cybersecurity matters to review specific aspects of J.P. Morgan’s cybersecurity risk management framework, processes and controls.
The governance and oversight for cybersecurity risk management includes governance forums that inform management of key areas of concern regarding the prevention, detection, mitigation and remediation of cybersecurity risks.
The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees J.P. Morgan’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of J.P. Morgan’s Information Security Program. The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit.
The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees. The GTOC is responsible for the governance of the firmwide Global Technology organization, including oversight of firmwide technology strategies, the delivery of technology and technology operations, the effective use of information technology resources, and monitoring and resolving key operational risk and control matters arising in the Global Technology organization.
Our board of directors is ultimately responsible for the oversight of risks from cybersecurity threats and has delegated responsibility for such oversight of cybersecurity matters to the audit committee. J.P. Morgan’s Cybersecurity Team provides our audit committee with updates, at least semi-annually, concerning cybersecurity risk matters. These updates generally include information regarding cybersecurity and technology developments, J.P. Morgan’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Adviser’s and J.P. Morgan’s efforts to address those incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management and its governance and oversight are integrated into J.P. Morgan’s operational risk management framework, including through the escalation of key risk and control issues to management and the development of risk mitigation plans for heightened risk and control issues.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees J.P. Morgan’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of J.P. Morgan’s Information Security Program. The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit.
The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees. The GTOC is responsible for the governance of the firmwide Global Technology organization, including oversight of firmwide technology strategies, the delivery of technology and technology operations, the effective use of information technology resources, and monitoring and resolving key operational risk and control matters arising in the Global Technology organization.
Our board of directors is ultimately responsible for the oversight of risks from cybersecurity threats and has delegated responsibility for such oversight of cybersecurity matters to the audit committee. J.P. Morgan’s Cybersecurity Team provides our audit committee with updates, at least semi-annually, concerning cybersecurity risk matters. These updates generally include information regarding cybersecurity and technology developments, J.P. Morgan’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Adviser’s and J.P. Morgan’s efforts to address those incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees J.P. Morgan’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of J.P. Morgan’s Information Security Program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors is ultimately responsible for the oversight of risks from cybersecurity threats and has delegated responsibility for such oversight of cybersecurity matters to the audit committee. J.P. Morgan’s Cybersecurity Team provides our audit committee with updates, at least semi-annually, concerning cybersecurity risk matters. These updates generally include information regarding cybersecurity and technology developments, J.P. Morgan’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Adviser’s and J.P. Morgan’s efforts to address those incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
The Global Chief Information Security Officer (“CISO”) reports to the Global Chief Information Officer, and is a member of key cybersecurity governance forums. The CISO leads the Global Cybersecurity and Technology Controls organization, which is responsible for identifying technology and cybersecurity risks and for implementing and maintaining controls to manage cybersecurity threats. The CISO and the members of senior management within Global Technology and the Cybersecurity and Technology Controls organizations all have relevant expertise and experience in cybersecurity and information technology risk management, including relevant experience at J.P. Morgan, at other financial services companies or in other highly-regulated industries.
The CISO is responsible for J.P. Morgan’s Information Security Program, which is designed to prevent, detect and respond to cyber attacks in order to help safeguard the confidentiality, integrity and availability of J.P. Morgan’s infrastructure, resources and information. The program includes managing J.P. Morgan’s global cybersecurity operations centers, providing training, conducting cybersecurity event simulation exercises, implementing J.P. Morgan’s policies and standards relating to technology risk and cybersecurity management, and enhancing, as needed, J.P. Morgan’s cybersecurity capabilities.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees J.P. Morgan’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of J.P. Morgan’s Information Security Program. The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit.The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit. The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees J.P. Morgan’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of J.P. Morgan’s Information Security Program. The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit.The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef