A-Mark Precious Metals, Inc. 10-K Cybersecurity GRC - 2024-09-13

Page last updated on September 16, 2024

A-Mark Precious Metals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-13 14:58:46 EDT.

Filings

10-K filed on 2024-09-13

A-Mark Precious Metals, Inc. filed a 10-K at 2024-09-13 14:58:46 EDT
Accession Number: 0000950170-24-106317

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that we process. Cybersecurity risk management is an integral part of our overall enterprise risk management efforts. We manage cybersecurity risks using a framework based on applicable regulations, industry standards and recognized best practices. Through this framework, we devote significant resources to identifying, monitoring, assessing and responding to cybersecurity threats and incidents, including those associated with our use of third-party software, applications, services, and cloud infrastructure. Our Cybersecurity Program includes multiple policies, procedures, and other components designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies and controls designed to detect, mitigate, and contain cybersecurity threats. As part of our Cybersecurity Program, we maintain a Written Information Security Plan that outline internal controls and procedures designed to protect our information systems. Our Cybersecurity Program contains a comprehensive suite of cybersecurity policies that are commensurate with companies in our industry of similar size and sophistication, and these policies are also informed by the sensitivity of our data processing activities. Our Cybersecurity Program also includes policies and procedures designed to ensure adequate business continuity, disaster recovery, and incident response. We also have access through our insurer to computer forensics firms and specialized legal counsel in case of a cybersecurity incident. While we maintain cybersecurity insurance to assist in the cost of recovery from a cybersecurity incident, such coverage may not be sufficient to cover all costs resulting from such incidents. We leverage qualified third-party consultants, advisors, counsel, and other experts to inform, audit, and update our Cybersecurity Program throughout each year. We engage security assessors to identify vulnerabilities through both internal and external penetration tests and to perform cybersecurity maturity assessments. We perform risk assessments annually, or more frequently if circumstances require, using both internal and external resources. We may also be subject to examinations by applicable regulators. We conduct annual cybersecurity training for employees to enhance awareness of how to detect and respond to cybersecurity threats, as well as periodic phishing training and testing campaigns. We also conduct table-top exercises annually to simulate a response to a cybersecurity incident. Our designated IT team members monitor cybersecurity threats in real time for the Company at the enterprise level, with the assistance of third-party threat detection and monitoring software. Cybersecurity threats at the subsidiary level are also monitored in real time by experienced IT professionals at those subsidiaries, including our Vice President of Digital and Technology at JM Bullion. These individuals report cybersecurity incidents immediately to our Chief Information Officer (CIO), who in turn follows approved reporting protocols, as more fully described below. Our Cybersecurity Compliance and Disclosure Committee (CCDC), which is further described below, is chaired by our CIO and includes the General Counsel of A-Mark and other representatives from the Company and our subsidiaries, including top-level management, to ensure enterprise-wide implementation and consistent application of the Company’s data security policies and procedures. The CCDC regularly enlists subject matter experts to assist where necessary. We also maintain a formal Vendor Management Program that provides oversight of cybersecurity risks related to our vendor and supplier relationships. During vendor onboarding, we perform risk-based due diligence on these third-parties, with heightened requirements for vendors that have access to confidential or personal information or that require access to our information systems. This Vendor Management Program includes specific cybersecurity requirements for our vendors, as well as ongoing monitoring, assessment, and contract review. Members of the CCDC are involved in and review the Vendor Management Program at least annually. 30 To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all cybersecurity threats and incidents. For more information on the risks that we face from cybersecurity threats, see “Risk Factors - Risk Factors of General Applicability-New rules have recently become effective that will require the Company to provide disclosures regarding cybersecurity management and events.” in Part 1, Item 1A of this report. Cybersecurity Governance The Board has overall responsibility for risk oversight and has delegated oversight of our Cybersecurity Program, including enterprise-wide risk assessment and management, to the CCDC. The CCDC’s charter requires it to monitor Company efforts to prevent, detect, mitigate, and remediate cybersecurity incidents, and to comply with cybersecurity laws and regulations. The CCDC oversees and approves all Company policies and procedures related to cybersecurity. The CCDC also ensures that significant cybersecurity issues or concerns are reported to the Board and A-Mark’s CEO, and disclosed to the public, individuals, or regulators where required by law. The CCDC directly oversees information technology and information security risks through regular meetings, reports from management on information technology, cybersecurity, and related risk assessments, and incidents disclosed by third-party service providers as applicable. If a cybersecurity threat is identified, our Vice President of IT or other reporting individuals will immediately inform our IT service desk and notify our CIO. Once the threat has been analyzed, our CIO will inform our General Counsel of any security incidents. The General Counsel will report on the incident, as appropriate, to the CCDC, our CEO, President and CFO, and to the Board, either at the next scheduled meeting or on a current basis, depending on the severity of the incident. The CCDC reports at least quarterly to the Board and A-Mark’s CEO on the following topics, among possible others: our current risk posture and threat landscape; new material cybersecurity threats and high-risk exposures; risk mitigations and controls; incident response readiness; and updates to cybersecurity policies and procedures. The CCDC is also authorized and directed to report to the Board and A-Mark’s CEO promptly in the event of a significant cybersecurity incident, as appropriate. A-Mark’s Chief Information Officer (CIO) chairs the CCDC. Our CIO brings over 14 years of IT experience to A-Mark. Since joining A-Mark in 2019, he has been pivotal in enhancing our data privacy compliance program, significantly strengthening our data protection and privacy measures, particularly ensuring protection of sensitive data. The co-vice chairs of the CCDC are A-Mark’s Vice President of IT and JM Bullion’s Vice President of Digital and Technology. Our Vice President of IT has over 25 years of experience in IT working in various industries including ecommerce, health care, and financial industries focusing on IT operations, cybersecurity and compliance. Since joining the company in 2014, he has been instrumental in the creation and growth of our cybersecurity program. Our Vice President of Digital and Technology at JM Bullion has comprehensive experience in the cybersecurity field. He successfully established a 24/7 security operation center (SOC) to continuously detect and respond to security incidents, as well as implemented various advanced services to proactively detect vulnerabilities on potential attack surfaces with high accuracy spanning across assets, applications, data, endpoints and network. He also centralized the workforce identity and access management (IAM) of the various systems for improved administration and control at the subsidiary level. He joined JM Bullion in 2015 and has served in his current role as Vice President of Digital and Technology since 2021. Other members of the CCDC include top executives and management from the Company and its subsidiaries, including A-Mark’s General Counsel, President, Chief Financial Officer, Chief Operating Officer, Senior Director of Financial Reporting, Director of Internal Audit, and Director of Enterprise Development and Administration, as well as JM Bullion’s President and Chief Executive Officer and its Chief Financial Officer. Finally, the CCDC is assisted by an external compliance consultant with over twenty years of IT experience, and A-Mark’s outside legal counsel for privacy and data security. 31

Company Information