AFFILIATED MANAGERS GROUP, INC. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on July 16, 2024

AFFILIATED MANAGERS GROUP, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:10:20 EST.

Filings

10-K filed on 2024-02-16

AFFILIATED MANAGERS GROUP, INC. filed a 10-K at 2024-02-16 16:10:20 EST
Accession Number: 0001004434-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Further, government and regulatory oversight of data privacy in particular has become a priority for regulators around the world, including as examples, through the EU’s General Data Protection Regulation and the California Privacy Rights Act, resulting in heightened data security and handling requirements, increased enforcement risk and fines, increased compliance costs, and expanded incident response and reporting obligations. More recently, the SEC has implemented new rules related to cybersecurity risk management for public companies and is expected to implement similar new rules for registered investment advisers, broker-dealers, and funds, which have resulted or may result, as applicable, in increased disclosure requirements, obligations to report certain cybersecurity incidents to the SEC, and liabilities related to our and our Affiliates’ technology systems and networks. Recent well-publicized security breaches at other companies have exemplified security-related vulnerabilities, and may lead to further government and regulatory scrutiny and heightened security requirements both in the U.S. and in other jurisdictions in which we and our Affiliates operate. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. We recognize the importance of protecting information assets such as the personally identifiable information of our employees, and proprietary business information regarding our Affiliates and their clients, and have adopted policies, management oversight, accountability structures, and technology processes designed to safeguard this information. All of our employees are required to attest annually to our information security policies and participate in regular security awareness training to protect their information and the AMG data and systems to which they have access. These trainings also instruct employees on how to report any potential privacy or data security issues. Our information security organization comprises internal and external resources designed to identify, protect, detect, mitigate, resolve, and recover from various threats and attacks by malicious actors. We leverage 24x7x365 monitoring tools and services to address the confidentiality, integrity, and availability of AMG assets and data. Regular internal and third-party reviews are performed on our processes and technologies to validate the effectiveness of our privacy and data security controls and safeguards. We monitor industry best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive AMG data. We also have our own fully documented proprietary security incident response plan, with defined roles and responsibilities that address notification obligations and incident response procedures in the event of a data security breach. We are dedicated to business continuity and resiliency, and have documented strategies, policies, and procedures in place to protect employee, business, Affiliate, and Affiliate client data in the event of an emergency or natural disaster. Although we provide our Affiliates with operational autonomy in managing their businesses and may have limited involvement in the design, oversight, and maintenance of their respective technology systems and networks, we offer ongoing cybersecurity support to Affiliates through our information security program, including with respect to conducting Affiliate program assessments and assisting, as appropriate and practicable, in their identification of, and response to, an actual or suspected cybersecurity incident. Additionally, prior to any investment in a new Affiliate, we conduct a diligence review of its information security program. We work with third-party service providers to proactively assess our information security program and provide us with an industry view of the cyberthreat landscape, in addition to monitoring and supporting our control environment and breach notification and response processes. As of the date of this Annual Report on Form 10-K, cybersecurity threats have not materially affected and we believe are not reasonably likely to materially affect AMG, including our business strategy, results of operations, or financial condition. Refer to the risk factor captioned “Failure to maintain and properly safeguard an adequate technology infrastructure may limit our or our Affiliates’ growth, result in losses or disrupt our or our Affiliates’ businesses” in Part I, Item 1A. “Risk Factors” for more information regarding cybersecurity risks and potential related impacts on AMG. Governance We have a formal information security program, designed to develop and maintain privacy and data security practices to protect AMG assets and sensitive third-party information, including personal and Affiliate information. This program is governed by a committee comprising members of senior management, including our Chief Information Officer (“CIO”), which meets regularly and reports to the Board of Directors at least annually (the “Information Security Governance Committee”). Members of the Information Security Governance Committee oversee communications with the Board of Directors regarding material cybersecurity incidents and provide the Board with a summary of risks from current cybersecurity threats on a regular basis, as well as updates on management’s information security program oversight and maintenance activities, and any material changes to AMG’s information security practices and procedures. The Board of Directors is also regularly provided with cybersecurity educational sessions, including perspectives from external advisors that are invited to present on current cybersecurity topics. We take a risk-based approach to cybersecurity and have implemented policies throughout our operations that are designed to address cybersecurity threats and our response to actual or suspected incidents. In particular, the Information Security Governance Committee is responsible for the ongoing identification and assessment of reasonably foreseeable cybersecurity threats and based on these assessments, evaluating and overseeing the implementation of safeguards for limiting such risks, including employee training and compliance, and detection and prevention mechanisms. If a cybersecurity incident occurs, the Information Security Governance Committee will assemble an incident response team responsible for the identification, remediation, and post-incident review of such incident, engage outside advisors and notify third parties as appropriate, and assess the materiality of the nature, scope, and timing of a given incident and whether public disclosure is required. The CIO, in coordination with the Information Security Governance Committee, is responsible for leading the assessment and management of cybersecurity risks. The current CIO has over 25 years of experience in information security. The CIO reports to the Board of Directors as part of the Information Security Governance Committee’s updates discussed above and regularly communicates with the other members of the Information Security Governance Committee and senior management regarding cybersecurity risks.
Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. We recognize the importance of protecting information assets such as the personally identifiable information of our employees, and proprietary business information regarding our Affiliates and their clients, and have adopted policies, management oversight, accountability structures, and technology processes designed to safeguard this information. All of our employees are required to attest annually to our information security policies and participate in regular security awareness training to protect their information and the AMG data and systems to which they have access. These trainings also instruct employees on how to report any potential privacy or data security issues. Our information security organization comprises internal and external resources designed to identify, protect, detect, mitigate, resolve, and recover from various threats and attacks by malicious actors. We leverage 24x7x365 monitoring tools and services to address the confidentiality, integrity, and availability of AMG assets and data. Regular internal and third-party reviews are performed on our processes and technologies to validate the effectiveness of our privacy and data security controls and safeguards. We monitor industry best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive AMG data. We also have our own fully documented proprietary security incident response plan, with defined roles and responsibilities that address notification obligations and incident response procedures in the event of a data security breach. We are dedicated to business continuity and resiliency, and have documented strategies, policies, and procedures in place to protect employee, business, Affiliate, and Affiliate client data in the event of an emergency or natural disaster. Although we provide our Affiliates with operational autonomy in managing their businesses and may have limited involvement in the design, oversight, and maintenance of their respective technology systems and networks, we offer ongoing cybersecurity support to Affiliates through our information security program, including with respect to conducting Affiliate program assessments and assisting, as appropriate and practicable, in their identification of, and response to, an actual or suspected cybersecurity incident. Additionally, prior to any investment in a new Affiliate, we conduct a diligence review of its information security program. We work with third-party service providers to proactively assess our information security program and provide us with an industry view of the cyberthreat landscape, in addition to monitoring and supporting our control environment and breach notification and response processes. As of the date of this Annual Report on Form 10-K, cybersecurity threats have not materially affected and we believe are not reasonably likely to materially affect AMG, including our business strategy, results of operations, or financial condition. Refer to the risk factor captioned “Failure to maintain and properly safeguard an adequate technology infrastructure may limit our or our Affiliates’ growth, result in losses or disrupt our or our Affiliates’ businesses” in Part I, Item 1A. “Risk Factors” for more information regarding cybersecurity risks and potential related impacts on AMG. Governance We have a formal information security program, designed to develop and maintain privacy and data security practices to protect AMG assets and sensitive third-party information, including personal and Affiliate information. This program is governed by a committee comprising members of senior management, including our Chief Information Officer (“CIO”), which meets regularly and reports to the Board of Directors at least annually (the “Information Security Governance Committee”). Members of the Information Security Governance Committee oversee communications with the Board of Directors regarding material cybersecurity incidents and provide the Board with a summary of risks from current cybersecurity threats on a regular basis, as well as updates on management’s information security program oversight and maintenance activities, and any material changes to AMG’s information security practices and procedures. The Board of Directors is also regularly provided with cybersecurity educational sessions, including perspectives from external advisors that are invited to present on current cybersecurity topics. We take a risk-based approach to cybersecurity and have implemented policies throughout our operations that are designed to address cybersecurity threats and our response to actual or suspected incidents. In particular, the Information Security Governance Committee is responsible for the ongoing identification and assessment of reasonably foreseeable cybersecurity threats and based on these assessments, evaluating and overseeing the implementation of safeguards for limiting such risks, including employee training and compliance, and detection and prevention mechanisms. If a cybersecurity incident occurs, the Information Security Governance Committee will assemble an incident response team responsible for the identification, remediation, and post-incident review of such incident, engage outside advisors and notify third parties as appropriate, and assess the materiality of the nature, scope, and timing of a given incident and whether public disclosure is required. The CIO, in coordination with the Information Security Governance Committee, is responsible for leading the assessment and management of cybersecurity risks. The current CIO has over 25 years of experience in information security. The CIO reports to the Board of Directors as part of the Information Security Governance Committee’s updates discussed above and regularly communicates with the other members of the Information Security Governance Committee and senior management regarding cybersecurity risks.


Company Information

NameAFFILIATED MANAGERS GROUP, INC.
CIK0001004434
SIC DescriptionInvestment Advice
TickerAMG - NYSEMGR - NYSEMGRB - NYSEMGRD - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30