BROADRIDGE FINANCIAL SOLUTIONS, INC. 10-K Cybersecurity GRC - 2024-08-06

Page last updated on August 6, 2024

BROADRIDGE FINANCIAL SOLUTIONS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-06 10:22:53 EDT.

Filings

10-K filed on 2024-08-06

BROADRIDGE FINANCIAL SOLUTIONS, INC. filed a 10-K at 2024-08-06 10:22:53 EDT
Accession Number: 0001383312-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Our information security program is designed to meet the needs of our clients who entrust us with their sensitive information. We maintain International Organization for Standardization (“ISO”) 27001 certification for most of our business units and core applications and facilities, and, where applicable, align to other industry standards or frameworks, including Cloud Security Alliance’s Cloud Controls Matrix (“CSA CCM”), Payment Card Industry Data Security Standard (“PCI DSS”), Health Insurance Portability and Accountability Act (“HIPAA”), and HITRUST Common Security Framework (“HITRUST CSF”). Cybersecurity Risk Management and Strategy We recognize the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. Our cybersecurity risk management program is integrated into our overall enterprise risk management (“ERM”) process which provides an ongoing procedure, effected at all levels of the Company across business units and corporate functions, to identify and assess risk, monitor risk, and take appropriate mitigating action. Central to our risk management process is the Risk Committee, which is a management committee that oversees the identification and assessment of the key risks affecting our operations and reviews the controls established with respect to these risks. The Risk Committee is comprised of key members of management, including the President, Chief Financial Officer, Chief Legal Officer, Chief Information Security Officer, Chief Privacy Officer, and other senior executives of the Company. Our Risk Committee collaborates with subject matter experts, as needed, to gather insights for identifying and assessing material cybersecurity risks, their severity, and potential mitigations. We take the following actions, among others, to demonstrate our commitment to maintaining the highest levels of information security, provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to identify, protect against, detect, respond to, and recover from cybersecurity incidents: - leverage encryption, data masking technology, data loss prevention technology, authentication technology, entitlement management, access control, network and application segmentation, anti-malware software, and transmission of data over private networks, among other systems and procedures designed to protect against unauthorized access to information; - conduct annual reviews with many of our clients on our cybersecurity and data security policies, practices and controls, and engage with regulators across the world, to remain apprised of cybersecurity and data security standards and best practices; - utilize the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”) issued by the U.S. government as a guideline to manage our cybersecurity-related risk. We are currently evaluating our program against the newly issued NIST Framework 2.0. The NIST Framework outlines security controls and outcomes over five functions: identify, protect, detect, respond, and recover; 26 - conduct network and endpoint monitoring, vulnerability assessments, and network penetration testing; - conduct quarterly information security management and incident training, and regular phishing email simulations for all associates to enhance awareness and responsiveness to possible threats; - run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our policies and procedures; - conduct information security reviews and due diligence on key service providers to identify, assess, mitigate, and monitor risks associated with our use of third-party software and services; and - maintain global information security policies and procedures, including an incident response and crisis management plan which include processes to triage, assess, investigate, escalate, contain, and remediate cybersecurity incidents. We further describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Security breaches or cybersecurity incidents could adversely affect our ability to operate, could result in personal, confidential or proprietary information being misappropriated, and may cause us to be held liable or suffer harm to our reputation.,” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. Cybersecurity Governance Our information security program and team are currently managed by our Chief Information Security Officer (“CISO”) who reports to our Chief Technology Officer. Our CISO has more than 25 years of experience in managing and leading cybersecurity functions which includes cybersecurity operations, strategy and governance, and information technology and security risk, compliance, and audit responsibilities across the U.S., Latin America, United Kingdom, Eastern Europe, Singapore, and China. Our CISO is responsible for developing, implementing, and overseeing our overall information security program, including cybersecurity risk management, governance and compliance, security policies and training, and the overall protection and defense of our networks, systems, and confidential data. With respect to risk management, our CISO works closely with our Managing Director, Risk Management, and other members of our Risk Committee, including the President, Chief Financial Officer, Chief Legal Officer, and Chief Technology Officer, who are responsible for reviewing and challenging, as necessary, the activities of our information security team. The responsibilities of the Company’s Board of Directors (“Board”) include oversight of our risk management processes. The Board has two primary methods of oversight. The first method is through the ERM process through which the Board receives regular reports from management regarding the most significant risks facing the Company. The second is through the functioning of the Board’s committees. The Audit Committee assists the Board in its oversight of the Company’s information security program, including cybersecurity and data privacy risks and controls. Our CISO provides reports on the Company’s cybersec urity program to the Audit Committee, which includes all members of the Board, on a quarterly basis. In addition, our Internal Audit function regularly audits our technology and cybersecurity programs and reports to the Audit Committee on its findings.

Company Information