FACTSET RESEARCH SYSTEMS INC 10-K Cybersecurity GRC - 2024-10-29

Page last updated on October 29, 2024

FACTSET RESEARCH SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-29 16:54:42 EDT.

Filings

10-K filed on 2024-10-29

FACTSET RESEARCH SYSTEMS INC filed a 10-K at 2024-10-29 16:54:42 EDT
Accession Number: 0001013237-24-000141

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy FactSet recognizes the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks, intellectual property theft, fraud, extortion, violation of data privacy or cybersecurity laws, legal and regulatory risks, and reputational risks. We maintain an information security program with a dedicated internal team that is tasked with leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our information security team is responsible for identifying, assessing, managing, and responding to cybersecurity risks, threats and incidents relating to the protection of our information assets, systems, and operations. The information security team also oversees the detection, prevention, mitigation, and remediation of all cybersecurity incidents. Our information security program is managed by a dedicated Chief Information Security Officer (“CISO”) who reports to our Chief Technology Officer, a member of our Executive Leadership Team (“ELT”). Our current acting CISO has a graduate degree in computer engineering and has worked in cybersecurity for over a decade. The information security team is comprised of approximately 60 employees, with dedicated teams assigned to governance, risk and compliance, identity and access management, strategy and architecture, and analytics and automation. The team operates from FactSet locations around the world, including offices in the U.S., India, the Philippines, and Europe. FactSet’s information security and governance framework is guided by International Organization for Standardization (“ISO”) 27002 and System and Organization Control (“SOC”) 2 Trust Service Criteria. We also have implemented the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Cybersecurity risk management is integrated into our broader Enterprise Risk Management (“ERM”) framework. FactSet’s ERM program is designed to identify, prioritize, and assess the most significant risks that could impact our ability to achieve our strategic business objectives. ERM activities include conducting enterprise risk assessments to better understand risk exposures, emerging risks, and steps that management has taken to monitor and control such exposures. Our information security leadership team, in concert with our ERM team, reviews our oversight of cybersecurity risks at least annually through our enterprise risk assessment process. FactSet’s information security program is grounded in a risk-based approach. Our information security team undertakes various activities to assess, identify, and manage risks from cybersecurity threats, including managing security controls, conducting penetration testing, leading training and tabletop exercises, and conducting internal and external vulnerability assessments. Findings from our internal and external vulnerability assessments are classified using a combination of scores and internal business metrics. Findings are remediated commensurate with the respective risk rating. FactSet’s IT Risk Management Policy includes severity-based escalation requirements designed to ensure proper management-level visibility and evaluation of risk issues, regardless of the source of that risk. We have processes to identify and mitigate cybersecurity risks stemming from our relationships with third parties, including protocols to assess vendors’ cybersecurity programs before we engage them and to monitor vendors, once engaged, for ongoing compliance with our cybersecurity standards. We also have an incident response plan that provides procedures for how we can detect, respond to, and recover from potential cybersecurity incidents, which include processes designed to triage, assess severity, escalate, contain, investigate, and remediate any incident, as well as to comply with any applicable legal obligations and mitigate potential brand and reputational damage. Our information security program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management, including the ELT and the FactSet Board of Directors (the “Board”). We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. The cybersecurity threat landscape is dynamic and volatile and requires significant investment. To date, risks from cybersecurity threats have not materially affected our business strategy, results of operations, or financial condition. As discussed more fully under Item 1A, Risk Factors in this Annual Report on Form 10-K, although our processes are designed to help identify, detect, prevent, respond to, and mitigate cybersecurity risks, cybersecurity threats are rapidly evolving and we may not be able to anticipate, prevent, or detect all such attacks and there is no guarantee that a future cybersecurity incident could not materially affect our business strategy, results of operations, or financial condition. Cybersecurity Governance Cybersecurity is an important part of our Board’s risk management focus. Regular reporting on the results and status of our ERM function, as well as our information security program, is provided to our senior management, including the ELT and the Board. The Board is responsible for overseeing our risk management governance, and our Board, together with its committees, engages with our management team in monitoring Company risks, including cybersecurity and data protection risks. The Audit Committee is responsible for risk oversight, including risks related to cybersecurity threats, and periodically reviews our information security programs, including our cybersecurity efforts. Our CISO regularly updates the Audit Committee on our information security program, providing an overview of risks and trends and addressing topics including our incident response plan, cybersecurity threat developments, and the steps we are taking to respond to these matters.

Company Information