StepStone Group Inc. 10-K Cybersecurity GRC - 2024-05-24

Page last updated on July 16, 2024

StepStone Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-24 16:37:21 EDT.

Filings

10-K filed on 2024-05-24

StepStone Group Inc. filed a 10-K at 2024-05-24 16:37:21 EDT
Accession Number: 0001796022-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We maintain a cybersecurity program that is reasonably designed to protect our information, and that of our clients, portfolio companies and investment managers with which we conduct business, against cybersecurity threats that may result in significant adverse effects on the confidentiality, integrity, and availability of our information systems. Governance Board of Directors The board of directors oversees our processes for assessing and managing risk. Our audit committee is responsible for reviewing and discussing our practices with respect to risk assessment and risk management, including risks related to information technology and cybersecurity. The board of directors and audit committee periodically review the measures implemented by us to identify and mitigate risks from cybersecurity threats. As part of such reviews, the board of directors and audit committee receive reports and presentations from those responsible for overseeing our cybersecurity risk management, including the Managing Director, Head of Information Technology (“Head of IT”) and our Legal team, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers, industry participants, service providers and other third parties. The Head of IT also periodically presents to the board of directors and audit committee, including to describe our information security infrastructure and improvements made, and to report on any significant developments. From time to time, external legal advisers provide education to the board of directors and/or audit committee in respect of information security related developments and to provide training in respect of directors’ responsibilities. We have a framework under which certain cybersecurity incidents are escalated and, where appropriate, reported to the board of directors or audit committee in a timely manner. Management We have a cybersecurity working group composed of members of the Information Technology (including Information Security), Legal and Compliance departments, including the Head of IT, Chief Legal Officer, Chief Compliance Officer, and a number of their respective team members. The working group meets regularly to identify and mitigate data protection and cybersecurity risks, implement information security governance mechanisms, discuss developments in information security, and discuss and respond to any significant cyber incidents. The working group is expected to escalate matters of significance to our Incident Response Team, ERMC (defined below) and/or the disclosure committee, as appropriate. We have adopted an Incident Response Plan (“IRP”) that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process leverages the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all personnel, networks and systems, third-party systems and end-user devices. In addition, we have an Enterprise Risk Management Committee (“ERMC”) composed of a number of members of senior management from operations across our businesses, legal, compliance, information technology, finance, human resources and internal audit and risk. The ERMC was established to oversee and promote the efficient and effective management of our enterprise risks. Cybersecurity and significant information security matters are to be brought before the ERMC or certain of its members, and matters of primary significance are to be further escalated and reported to our Global Executive Committee and the audit committee of our board of directors, as appropriate. At the management level, the Head of IT, who has extensive cybersecurity knowledge and skills gained from over 20 years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices and reports directly to the President and Co-Chief Operating Officer. The Head of IT receives reports on cybersecurity threats from his team and external service providers on an ongoing basis and, in conjunction with management, reviews risk management measures implemented by us to identify and mitigate data protection and cybersecurity risks. The Head of IT works closely with our Legal and Compliance departments to oversee compliance with legal, regulatory and contractual security requirements and to develop reports and presentations to the board of directors and its audit committee. The Head of IT is responsible for providing training to employees in respect of information security. Risk Management and Strategy We take a multifaceted approach to managing risk from cybersecurity threats. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. Our information security program and supporting policies apply to all employees, contractors and certain vendors servicing the firm. The program outlines the development, maintenance, and distribution of information security policies and procedures that detail the implementation and maintenance of the information security program and its safeguards, and cover various areas such as information handling, user access management, encryption, data retention and backups, computer and network security and monitoring, physical security, incident reporting and response, service provider oversight, and employee and contractor use of technology. We also undergo annual SOC 1 Type 2 testing of our financial processes and supporting technical controls. In addition to the foregoing, we conduct regular employee trainings on cybersecurity and perform phishing exercises to test employees’ understanding of how to identify social engineering attacks. We perform diligence, including in respect of information security, of vendors and third parties with significant access to confidential information and personal data, and periodically monitor such vendors. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems. We conduct annual penetration testing performed by a rotating group of third-party security firms to test our technical controls and security response. Our internal audit team has also conducted a cybersecurity assessment to test our preparedness. In addition to our internal cybersecurity capabilities and third-party penetration testing, we also, at times, engage consultants or other third parties to assist with assessing, identifying, and managing cybersecurity risks. Material Cybersecurity Risks, Threats & Incidents Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. To date, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that we believe have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an effect. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading “Cybersecurity risks and cybersecurity incidents could adversely affect our business by causing a disruption to our operations, which could adversely affect our financial condition and results of operations.”, which should be read in conjunction with the foregoing information.

Company Information