StoneX Group Inc. 10-K Cybersecurity GRC - 2024-11-29

Page last updated on November 29, 2024

StoneX Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-29 09:20:36 EST.

Filings

10-K filed on 2024-11-29

StoneX Group Inc. filed a 10-K at 2024-11-29 09:20:36 EST
Accession Number: 0000913760-24-000187

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize that cyber incidents, including but not limited to data breaches, ransomware attacks, and system outages, pose a material risk to our operations. We have processes in place for assessing, identifying and managing material risks from cybersecurity threats. These processes are embodied in our Information Risk Management Policy, which is supported by a set of standards and procedures, to provide a structured methodology for identifying, assessing, and managing risks to critical assets, including applications and systems. The Information Risk Management Policy is designed to provide a consistent risk management approach across the organization to safeguard against existing and emerging threats and to align with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The processes for cybersecurity risk management that we follow are integrated into our enterprise risk management (“ERM”) program. Our risk management processes include identifying and documenting key risks, assessing the potential business impact and likelihood of the identified risks, and developing mitigation plans for any risks that are deemed to be critical and or material. The Company uses various techniques to identify risks, up to and including input from our threat intelligence teams, which includes monitoring adversarial tactics and techniques, as well as annual penetration testing using third-party vendors. Once identified, these risks are assessed to evaluate potential impacts to us from compromised confidentiality, integrity, or availability of information systems, considering financial, operational, legal, and reputational risks. Risk ratings are determined by evaluating the threats, any vulnerabilities, and potential business impacts, and this information is documented in our risk register. The management of material risks from cybersecurity threats is assigned to appropriate personnel, with mitigation or remediation plans approved by executive management and reviewed regularly. The ongoing management of material risks from cybersecurity threats includes promoting security awareness throughout the Company, such as quarterly employee training, ongoing monitoring for cybersecurity threats and vulnerabilities, incident response planning, and data backup and retention and recovery readiness in accordance with our global business resilience planning policy and program. We have in place a comprehensive Security Incident Response Plan that outlines the policies and procedure to be followed in the event of an incident, including escalation and communication procedures. We also have processes in place to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. These processes include a review of vendors against cybersecurity-focused criteria through our vendor due diligence process, as well as a policy which mandates the inclusion of certain security-related clauses and provisions in our contracts with vendors and suppliers. We also conduct ongoing monitoring and assurance processes, including assessments, to ensure compliance with applicable security-related contractual provisions and other requirements. Periodically, we engage third-party consultants to assess the maturity of our cybersecurity controls using the NIST Cybersecurity Framework. The assessment covers our risk management processes, people, and technologies. The findings are shared with our Chief Information Security Officer (“CISO”), senior management, and the Board of Directors, and the results are used to refine or enhance our risk management practices relating to cybersecurity. The consequences of prior cybersecurity incidents we have encountered have not materially affected our business strategy, results of operations or financial condition. We are regularly the target of attempted cyber intrusions, and we anticipate continuing to be subject to such attempts. Our security programs and measures do not prevent all intrusions and the occurrence of a significant cybersecurity incident could have a substantial negative impact on us. See Item 1A. Risk Factors - Technology and Cybersecurity Risks for additional discussion. Governance Our management is responsible for identifying, assessing, and managing our exposure to risk. The Board of Directors plays an active role in overseeing management’s activities regarding risk management in part through its various committees based on each committee’s responsibilities and expertise. The Board has delegated to the Technology and Operations Committee (the “Committee”) oversight of the Company’s Information Technology Department and risks arising from technology and operations, including information security, fraud, vendor, data protection and privacy, business continuity and resilience and cybersecurity risks. Our CISO and Chief Information Officer (“CIO”) are primarily responsible for the management of cybersecurity-related risks. Our CISO reports to our CIO, who is a member of our executive committee. The CIO collaborates closely with the CISO to align cybersecurity risk management with business goals. Our Governance, Risk and Compliance team is responsible for implementing the Company’s security risk management program, and our security engineering and Threat Management teams manage the technical aspects of cybersecurity and incident detection, response, and remediation. These teams report to the CISO and CIO to keep them informed of the matters for which they are responsible. The CISO and CIO report quarterly to the Committee on current and emerging strategies and trends, the Company’s approach to technology and operations, developments with respect to cybersecurity events and risks and the Company’s cybersecurity roadmap. More frequent reporting occurs when circumstances dictate, such as pursuant to the escalation procedures included in the Company’s Security Incident Response Plan. Our CISO has over 20 years of experience in cybersecurity. Before joining the Company in 2023, he held senior leadership positions in cybersecurity and security operations at publicly traded companies, a federally funded research and development center and the U.S. military. He holds a B.A. in Political Science from the University of Arizona and an MA in Strategic Intelligence from American Military University. He is also a Certified Information Systems Security Professional. Our CIO has been with the Company since 2017. She has over 20 years of experience in senior technology and financial roles in the asset management and financial services sector. She holds a B.S. in Accounting from Babson College and an MBA from Indiana University.

Company Information