|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company, the Advisor and StepStone Group are affiliates of StepStone Group Inc., a Delaware corporation listed on the Nasdaq Stock Market LLC and whose securities are registered with the SEC pursuant to Section 12(b) of the Exchange Act. In general, the Company relies upon the information systems and other enterprise services provided by StepStone Group Inc. and its subsidiaries, including StepStone Group and the Advisor (together, “STEP”).
STEP maintains a cybersecurity program that is reasonably designed to protect the Company’s information, and that of the Company’s portfolio companies and investors, against cybersecurity threats that may result in significant adverse effects on the confidentiality, integrity, and availability of the information systems of STEP and its affiliates.
Governance.
Board of Directors
The Board of Directors of StepStone Group Inc. (“STEP Board”) oversees STEP’s processes for assessing and managing risk. The STEP Board’s Audit Committee is responsible for reviewing and discussing STEP’s practices with respect to risk assessment and risk management, and risks related to matters, including information technology and cybersecurity.The STEP Board and Audit Committee regularly review the measures
implemented by STEP to identify and mitigate risks from cybersecurity threats. As part of such reviews, the STEP Board and Audit Committee receive reports and presentations from those responsible for overseeing STEP’s cybersecurity risk management, including the Partner, Head of Information Technology & CISO (“Head of IT”) and STEP’s Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to STEP’s peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the STEP Board and its Audit Committee, including to describe STEP’s information security infrastructure and improvements made, and to report on any significant developments in respect to STEP. From time to time, external legal advisers provide education to the STEP Board and/or Audit Committee in respect of information security related developments and to provide training in respect of directors’ responsibilities.
At the Company level, the Company’s Board oversees and monitors enterprise risk management at the Company, including with respect to cybersecurity and information security risk. The Company’s Board and disclosure review team are expected to receive periodic reports and updates from the Head of IT, as applicable in the context of risks from cybersecurity threats that may impact the Company. STEP has a framework under which certain cybersecurity incidents are escalated within the Company and STEP and, where appropriate, reported to the Company Board, STEP Board or Audit Committee in a timely manner.
Management
STEP has a cybersecurity working group composed of members of the Information Technology (including Information Security), Legal and Compliance departments, including the Head of IT, the Chief Legal Officer of STEP, the Chief Compliance Officer of STEP, and a number of their respective team members. The working group meets regularly to identify and mitigate data protection and cybersecurity risks, implement information security governance mechanisms, discuss developments in information security, and discuss and action any significant cyber incidents relevant to STEP, and its affiliates, including the Company. The working group is expected to escalate matters of significance to STEP’s Incident Response Team, ERMC (defined below) and/or the STEP Disclosure Committee, as well as to the Company’s disclosure review team, as appropriate.
STEP has adopted an Incident Response Plan (“IRP”) that applies in the event of a cybersecurity threat or incident, including those that impact the Company, to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate, including stakeholders at the Company, as relevant. In general, STEP’s incident response process leverages the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all STEP personnel and STEP networks and systems, third-party systems and end-user devices, including those of the Advisor and those relied upon by the Company.
In addition, STEP has an Enterprise Risk Management Committee (“ERMC”) composed of a number of members of senior management from operations across STEP’s businesses, legal, compliance, information technology, finance, human resources and internal audit and risk. The ERMC was established to oversee and ensure the efficient and effective management of STEP’s enterprise risks. Cybersecurity and significant information security matters are to be brought before the ERMC or certain of its members, and matters of primary significance are to be further escalated and reported to the StepStone Global Executive Committee and the Audit Committee of the STEP Board and the Company’s Board, as appropriate.
At the management level, the STEP Head of IT, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at STEP and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices and reports directly to the President and Co-Chief Operating Officer of STEP. The Head of IT receives reports on cybersecurity threats from his team and
external service providers on an ongoing basis and, in conjunction with management, reviews risk management measures implemented by STEP to identify and mitigate data protection and cybersecurity risks, including those applicable to the Company and the Advisor. The Head of IT works closely with the STEP Legal and Compliance departments to oversee compliance with legal, regulatory and contractual security requirements and in developing reports and presentations to the STEP Board and its Audit Committee, as well as to the Company’s Board. The Head of IT is responsible for providing regular training to STEP employees, including employees of the Advisor, in respect of information security.
Risk Management and Strategy.
STEP takes a multifaceted approach to managing risk from cybersecurity threats. STEP’s cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. STEP’s information security program, and supporting policies apply to all employees, contractors and vendors servicing the firm, including employees of the Advisor. The program outlines the development, maintenance, and distribution of information security policies and procedures that detail the implementation and maintenance of the information security program and its safeguards, and cover various areas such as information handling, user access management, encryption, data retention and backups, computer and network security and monitoring, physical security, incident reporting and response, service provider oversight, and employee and contractor use of technology. STEP also undergoes annual SOC 1 Type 2 testing of its financial processes and supporting technical controls.
In addition to the foregoing, STEP conducts regular employee trainings on cybersecurity, which trainings apply to the Company’s officers and employees of the Advisor, and performs phishing exercises to test employees’ understanding of how to identify social engineering attacks. STEP performs diligence, including in respect of information security, of vendors and third parties with significant access to confidential information and personal data, and periodically monitors such vendors, including such vendors relied upon by the Company and the Advisor. STEP also employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems STEP and its affiliates use. STEP conducts annual penetration testing performed by a rotating group of third-party security firms to test STEP’s technical controls and security response. STEP’s internal audit team has also conducted a cybersecurity assessment to evaluate STEP’s preparedness against potential cyber risks and threats. In addition to its internal cybersecurity capabilities and third-party penetration testing, STEP also, at times, engages consultants or other third parties to assist with assessing, identifying, and managing cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
The Board of Directors of StepStone Group Inc. (“STEP Board”) oversees STEP’s processes for assessing and managing risk. The STEP Board’s Audit Committee is responsible for reviewing and discussing STEP’s practices with respect to risk assessment and risk management, and risks related to matters, including information technology and cybersecurity.The STEP Board and Audit Committee regularly review the measures
implemented by STEP to identify and mitigate risks from cybersecurity threats. As part of such reviews, the STEP Board and Audit Committee receive reports and presentations from those responsible for overseeing STEP’s cybersecurity risk management, including the Partner, Head of Information Technology & CISO (“Head of IT”) and STEP’s Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to STEP’s peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the STEP Board and its Audit Committee, including to describe STEP’s information security infrastructure and improvements made, and to report on any significant developments in respect to STEP. From time to time, external legal advisers provide education to the STEP Board and/or Audit Committee in respect of information security related developments and to provide training in respect of directors’ responsibilities.
At the Company level, the Company’s Board oversees and monitors enterprise risk management at the Company, including with respect to cybersecurity and information security risk. The Company’s Board and disclosure review team are expected to receive periodic reports and updates from the Head of IT, as applicable in the context of risks from cybersecurity threats that may impact the Company. STEP has a framework under which certain cybersecurity incidents are escalated within the Company and STEP and, where appropriate, reported to the Company Board, STEP Board or Audit Committee in a timely manner.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board of Directors of StepStone Group Inc. (“STEP Board”) oversees STEP’s processes for assessing and managing risk. The STEP Board’s Audit Committee is responsible for reviewing and discussing STEP’s practices with respect to risk assessment and risk management, and risks related to matters, including information technology and cybersecurity.The STEP Board and Audit Committee regularly review the measures
implemented by STEP to identify and mitigate risks from cybersecurity threats. As part of such reviews, the STEP Board and Audit Committee receive reports and presentations from those responsible for overseeing STEP’s cybersecurity risk management, including the Partner, Head of Information Technology & CISO (“Head of IT”) and STEP’s Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to STEP’s peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the STEP Board and its Audit Committee, including to describe STEP’s information security infrastructure and improvements made, and to report on any significant developments in respect to STEP. From time to time, external legal advisers provide education to the STEP Board and/or Audit Committee in respect of information security related developments and to provide training in respect of directors’ responsibilities.
At the Company level, the Company’s Board oversees and monitors enterprise risk management at the Company, including with respect to cybersecurity and information security risk. The Company’s Board and disclosure review team are expected to receive periodic reports and updates from the Head of IT, as applicable in the context of risks from cybersecurity threats that may impact the Company. STEP has a framework under which certain cybersecurity incidents are escalated within the Company and STEP and, where appropriate, reported to the Company Board, STEP Board or Audit Committee in a timely manner.
|Cybersecurity Risk Role of Management [Text Block]
|STEP has a cybersecurity working group composed of members of the Information Technology (including Information Security), Legal and Compliance departments, including the Head of IT, the Chief Legal Officer of STEP, the Chief Compliance Officer of STEP, and a number of their respective team members. The working group meets regularly to identify and mitigate data protection and cybersecurity risks, implement information security governance mechanisms, discuss developments in information security, and discuss and action any significant cyber incidents relevant to STEP, and its affiliates, including the Company. The working group is expected to escalate matters of significance to STEP’s Incident Response Team, ERMC (defined below) and/or the STEP Disclosure Committee, as well as to the Company’s disclosure review team, as appropriate.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The STEP Board’s Audit Committee is responsible for reviewing and discussing STEP’s practices with respect to risk assessment and risk management, and risks related to matters, including information technology and cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
At the management level, the STEP Head of IT, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at STEP and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices and reports directly to the President and Co-Chief Operating Officer of STEP. The Head of IT receives reports on cybersecurity threats from his team and
external service providers on an ongoing basis and, in conjunction with management, reviews risk management measures implemented by STEP to identify and mitigate data protection and cybersecurity risks, including those applicable to the Company and the Advisor. The Head of IT works closely with the STEP Legal and Compliance departments to oversee compliance with legal, regulatory and contractual security requirements and in developing reports and presentations to the STEP Board and its Audit Committee, as well as to the Company’s Board. The Head of IT is responsible for providing regular training to STEP employees, including employees of the Advisor, in respect of information security.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|As part of such reviews, the STEP Board and Audit Committee receive reports and presentations from those responsible for overseeing STEP’s cybersecurity risk management, including the Partner, Head of Information Technology & CISO (“Head of IT”) and STEP’s Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to STEP’s peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the STEP Board and its Audit Committee, including to describe STEP’s information security infrastructure and improvements made, and to report on any significant developments in respect to STEP. From time to time, external legal advisers provide education to the STEP Board and/or Audit Committee in respect of information security related developments and to provide training in respect of directors’ responsibilities.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef