RAYMOND JAMES FINANCIAL INC 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

RAYMOND JAMES FINANCIAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 16:53:21 EST.

Filings

10-K filed on 2024-11-26

RAYMOND JAMES FINANCIAL INC filed a 10-K at 2024-11-26 16:53:21 EST
Accession Number: 0000720005-24-000069

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Overview Cybersecurity risk is a key operational risk facing the firm, and measures to address such risk are an important component of the firm’s overall Enterprise Risk Management (“ERM”) program. As part of our ERM program, we have implemented and maintain a program to identify, assess, and manage risks arising from cybersecurity threats (“Cybersecurity Program”). Our Cybersecurity Program seeks to mitigate cybersecurity risk and associated legal, financial, reputational, regulatory and/or operational risks by protecting our clients, associates, and services through a comprehensive, cross-functional approach. Specifically, our Cybersecurity Program is focused on preserving the confidentiality, integrity, and availability of information, enabling the secure and uninterrupted delivery of financial services, and protecting the firm and the safe operation of our technology systems. Further, we consider cybersecurity risks in our business strategy decisions, including in our business continuity planning and in connection with our acquisition activity. We seek to continually adjust our Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory requirements. Refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Risk management” section of this Form 10-K for additional information on our approach to risk management, including our governance framework. Refer to “Item 1A - Risk Factors” of this Form 10-K for additional information on our cybersecurity risks. Cybersecurity risk management process Our Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to our network, infrastructure, computing environment, and to third parties. We periodically assess the design of our cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, as well as global cybersecurity regulations, and we seek to implement improvements to our controls in response to that assessment. Our Cybersecurity Program also includes cybersecurity and information security policies, procedures, and technologies that are designed to address regulatory requirements and protect our clients’, associates’, and firm data against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, recovery planning, and providing appropriate public disclosure of cybersecurity risks and incidents when required. In addition, we maintain a global training program for our associates about cybersecurity risks and requirements and conduct regular phishing email simulations in order to test our associates’ understanding of these risks. Our cybersecurity strategy takes a defense-in-depth approach, with layered controls consisting of both commercially available and proprietary technologies that are intended to prevent an adversary from conducting a successful attack. Included in that approach is our Cyber Threat Center which is a critical component of our Cybersecurity Program and operates internally with the purpose of monitoring, detecting, and responding to cyber threats that could jeopardize the integrity, confidentiality, or availability of information systems. Our Cyber Threat Center operates 24 hours per day, 7 days per week, continuously monitoring our systems for signs of tampering or unauthorized activity, utilizes an incident response playbook which is based on NIST industry best practices, and includes containment and recovery procedures. Furthermore, we maintain cybersecurity insurance coverage which provides certain limited protection. In conjunction with third-party vendors and consultants, we perform a variety of periodic risk assessment initiatives to gauge the performance of the Cybersecurity Program, to estimate our risk profile, and to assess compliance with relevant regulatory requirements. We perform periodic assessments of control efficacy through our internal risk and control self-assessment process, a variety of cyber event simulation exercises focused on the effectiveness of our incident response and crisis management procedures, and external technical assessments, including external penetration tests and “red team” engagements where third parties test our defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. In addition, our processes are designed to help identify, oversee, and mitigate cybersecurity risks associated with our use of third-party vendors. We have a supplier risk management process that includes evaluation of, and response to, cybersecurity risks at our third-party vendors, and this process covers vendor selection, onboarding, performance monitoring, and risk management. Our supplier risk management program includes policies and standards requiring that we perform cybersecurity due diligence reviews on our vendors based on the inherent risk profile of a particular supplier or service provider. We also monitor certain of our principal suppliers and service providers on an ongoing basis by conducting additional periodic reviews. Additionally, we execute agreements with our third-party vendors, independent contractor financial advisors, and firms 36 RAYMOND JAMES FINANCIAL, INC. AND SUBSIDIARIES Index affiliated with us through our RCS division under which these parties contractually agree to implement certain safeguards designed to protect firm data and mitigate cybersecurity risks. We also maintain business continuity plans that include identification of critical functions, third-party suppliers, and personnel. Our information technology department executes several disaster recovery exercises per year in order to test our capabilities and ensure that business recovery needs could be met during a real-world event. Additionally, our information technology department participates in annual crisis management exercises to test our operational responses and assess our preparedness for various scenarios, including cyber incidents. We also participate annually in industry-wide and internal exercises to test our response capabilities. While we and our third-party vendors have experienced cybersecurity incidents, as well as adverse impacts from such incidents, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the firm, including our business strategy, results of operations, or financial condition. However, due to the evolving threat environment, we expect to continue to experience cybersecurity incidents resulting in adverse impacts with increased frequency and severity, and there can be no assurance that future cybersecurity incidents, including incidents experienced by our third-party vendors, will not have a material adverse impact on the firm, including its business strategy, results of operations, financial condition, and/or reputation. See Item 1A - Risk Factors of this Form 10-K for additional information on our cybersecurity risks. Governance The Board of Directors has designated its Risk Committee to assist it in overseeing management’s responsibility to implement an effective risk management framework designed to identify, assess, and manage key risks, including cybersecurity risk. As part of our ERM program, executive management, with review and oversight of the Risk Committee, establishes key risk indicators to measure ongoing alignment with the firm’s risk appetite and tolerance levels related to cybersecurity risk. Risk appetite and tolerance thresholds are periodically reviewed by management and approved by the Risk Committee. The Risk Committee receives regular presentations and reports from our Chief Information Security Officer (“CISO”), which address a wide range of cybersecurity risk topics, including emerging threats and recent developments, cybersecurity policy and standards updates, vulnerability assessments, risk assessment outcomes (including third-party and independent reviews), technology trends, and information security considerations arising with respect to the firm, our peers, and third-party vendors. Additionally, the Board of Directors receives reports at least annually on the performance of the firm’s cybersecurity risk metrics. Under the Risk Committee’s oversight, management works closely with key stakeholders, including regulators, government agencies, peer institutions, and industry groups, and develops and invests in human talent and innovative technology in order to better manage cybersecurity risk. The firm’s cybersecurity program is led by our CISO, who, effective October 1, 2024, reports to our Chief Information Officer (“CIO”). The CISO, in coordination with our information technology, compliance (including privacy), and risk management functions, works collaboratively across the firm to implement a program designed to protect the firm’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the firm’s incident response and recovery plans. We maintain policies and procedures for the escalation of cybersecurity incidents assessed as potentially being or becoming material. Such incidents are escalated to a multidisciplinary group of senior leaders from our risk management, regulatory, compliance, finance, and legal teams, to assess such incidents for reporting under regulatory guidelines. In evaluating cybersecurity incidents, management considers the potential impact to our results of operations, control framework and financial condition, as well as the potential impact, if any, to our business strategy or reputation. Through ongoing communications with these teams, the CISO monitors the mitigation and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to the Risk Committee when appropriate. The members of management who lead our Cybersecurity Program have extensive experience in technology, cybersecurity, and information security. Our CIO has over 35 years of relevant experience, including 25 years leading technology teams at multiple global financial services institutions, and is a Certified Information Security Manager and Registered Series 99 Operations Professional. Our CISO has over 25 years of financial services industry experience, with varying positions in information technology, security, and risk management, and is a Certified Information Systems Security Professional and Registered Series 99 Operations Professional. Both our CIO and CISO also participate in various financial services industry committees and cybersecurity advisory boards. 37 RAYMOND JAMES FINANCIAL, INC. AND SUBSIDIARIES Index

Company Information