Freedom Holding Corp. 10-K Cybersecurity GRC - 2024-06-13

Page last updated on July 16, 2024

Freedom Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-13 21:41:19 EDT.

Filings

10-K filed on 2024-06-13

Freedom Holding Corp. filed a 10-K at 2024-06-13 21:41:19 EDT
Accession Number: 0000924805-24-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity is a critical component of our risk management program, given the increasing reliance on technology and potential cyber threats. Our Chief Technology Officer is leading cybersecurity risk management improvement initiatives as part of our Technology Strategy to 2025. Our overall cybersecurity risk management objective is to avoid or minimize the impacts of threat events that could lead to penetration, disruption or misuse of our information systems and to ensure compliance with applicable legal and contractual obligations. Our cybersecurity risk management improvement initiatives are informed by regulatory guidance, industry standards, threat intelligence feeds, internal and external audits, external consultants, and insights from cybersecurity community. Experts from our Technology Leadership Centre, under the supervision of the Chief Technology Officer, periodically review our cybersecurity risk management processes to address changing threats and conditions. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity. We employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected threats. We have established processes and systems designed to mitigate technology risk, including our corporate IT control system, to work towards a consistent minimal level of cybersecurity across all our subsidiaries. We engage in periodic or regular monitoring and assessments of our technology key infrastructure and processes using internal staff and third-party specialists. We assess and manage risks, including IT and cybersecurity risks, associated with external service providers and our supply chain. Our audit procedures include testing of IT and cybersecurity controls to ensure reliability. The type, maturity, and formalization of controls in our subsidiaries is informed by the level of anticipated threats and their impacts associated with each organization. We maintain an IT and cybersecurity incident management process that provides a framework for responding to actual or potential cybersecurity incidents, engagement of third parties, including external incident response professionals, and timely reporting of incidents with material impact or reasonably likely to materially impact to our Chief Technology Officer, Chief Financial Officer, who inform other senior management members and our board of directors as appropriate. The cybersecurity incident management process facilitates coordination across multiple areas of our organization. Governance Our cybersecurity risk governance model consists of three lines of defense. Our Chief Technology Officer, supported by the experts in our Technology Leadership Centre and IT and cybersecurity teams at our subsidiaries represent the first line. Our Chief Risk Officer, supported by corporate and subsidiary risk teams, and Risk Committee of the board of directors represent the second line. The third line consists of our Controlling Department, subsidiary internal audit functions and Audit Committee of the board of directors. Our Chief Technology Officer has over 15 years of information technology experience, including over a decade in leadership positions. He is supported by IT, cybersecurity and data protection professionals from our Technology Leadership Centre with extensive IT, cybersecurity and data protection education and experience, including from regulatory agencies. At the subsidiary level our IT and cybersecurity management team has varying degrees of technology, operational and cybersecurity experience, including experience in mitigating and responding to cybersecurity incidents and managing cyber risks. Our Chief Technology Officer leads cybersecurity risk management improvement initiatives as part of our Technology Strategy to 2025, coordinated and monitored by experts from our Technology Leadership Centre. In contrast, the program’s implementation at our subsidiaries is largely delegated to the subsidiary staff. Significant subsidiaries provide updates on their implementation progress, significant cybersecurity incidents, and risks to their senior executives and the experts from our Technology Leadership Centre. The experts periodically consolidate and analyze information about the cybersecurity risk management program, cybersecurity and privacy incidents and risks, key initiatives, and other matters relating to cybersecurity processes for reporting to our Chief Technology Officer and our Chief Risk Officer. Both officers periodically report to the Risk Committee of the board of directors. Our Chief Technology Officer also regularly reports directly to the board of directors including on cybersecurity initiatives, notable incidents, and risks. Our Chief Risk Officer also periodically reports directly to the board of directors including on cybersecurity incidents and risks. Our overall cybersecurity risk management is overseen by the Risk Committee of our board of directors who assists our senior management and the board of directors with their overall risk management responsibilities. Our audit procedures include testing of IT and cybersecurity. Our financial reporting department ensures financial performance reliability under U.S. regulatory requirements and provides an independent objective assurance to evaluate the effectiveness of IT and cybersecurity controls and governance. The department is directly subordinate to the Audit Committee of our board of directors. Notwithstanding our defensive measures and processes, the threats posed by IT failures and cyber-attacks are always present. While our subsidiaries have experienced cybersecurity incidents in the past, no cybersecurity incidents have had, either individually or in the aggregate, a material adverse effect on our business, financial condition, cash flows or results of operations as of the date of this report. We do not maintain insurance policies to mitigate cybersecurity risks because such insurance may not be available or may be more expensive than the perceived benefit. Further, any insurance that we may purchase to mitigate certain risks may not cover all losses. For further discussion of risks from cybersecurity threats, see the section captioned " Risks Related to Information Technology and Cybersecurity " in Item 1A. Risk Factors.

Company Information