MSCI Inc. 10-K Cybersecurity GRC - 2025-02-07

Page last updated on February 7, 2025

MSCI Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-07 16:02:25 EST.

Filings

10-K filed on 2025-02-07

MSCI Inc. filed a 10-K at 2025-02-07 16:02:25 EST
Accession Number: 0001408198-25-000053

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of identifying, assessing and managing material cybersecurity risks, including, among other things, our operations; intellectual property theft; fraud; extortion; violation of data privacy or cybersecurity laws; legal and regulatory risk; and reputational risks. We have an enterprise-wide information security program designed to secure our technology infrastructure, networks, data, products and services, and we have implemented several processes, technologies and controls to aid in our efforts to identify, assess and manage related risks. Our Chief Information Security Officer (“CISO”) manages this program, in collaboration with our business and corporate teams. Cybersecurity risks are integrated into our enterprise risk management (“ERM”) program, which evaluates cybersecurity risks alongside other company risks as part of a quarterly and ongoing process designed to identify, assess and manage risk exposures over the short-, intermediate- and long-term. In addition, our management-level Information and Technology Risk Oversight Committee (“ITROC”), led by our CISO, and including senior leaders such as our President and COO, CFO and General Counsel, among others, provides oversight relating to cybersecurity and technology-related risks that may present significant impacts to our operations, clients, reputation and financial position, and the considerations of the ITROC are fully incorporated into our overall ERM framework. Our CISO also provides updates to our Disclosure Committee on material cybersecurity incidents. We also have cybersecurity-specific policies, standards and procedures, and our cybersecurity program aligns with industry standards, including the U.S. National Institute of Standards and Technology (“NIST”) cybersecurity framework and International Organization for Standardization (“ISO”) information security standards. Our information security management system has achieved ISO 27001:2022 certification. To help ensure the resilience of critical data and systems, maintain regulatory compliance, manage material cybersecurity risks, and protect against, detect and respond to cybersecurity incidents, we regularly undertake the following activities: - 24x7x365 security operations monitoring of our systems, networks and services to detect and act on weaknesses and potential intrusions; - Regular internal and external security audits and penetration tests by third-party security vendors; - Testing of new products and services to identify potential security vulnerabilities before release; - Regular network and endpoint monitoring; - Periodic red- and purple-team assessments from third-party service providers; - Business resiliency planning with disaster recovery and business continuity testing; 30 Table of Content s - Role-based access controls to identify, authenticate and authorize individuals to access systems based on their job responsibilities; - Protection, including encryption, for the secure communication of sensitive data; - Monitoring of emerging data protection laws and implementation of changes to our processes designed to comply therewith; - Regular review of policies and standards related to cybersecurity; - At least annual security awareness training and testing of our employees; - Regular review of critical third-party security practices; - Tabletop exercises to simulate a response to a cybersecurity incident and to use the findings to improve our processes and technologies; - A cross-functional approach to addressing cybersecurity risk, with participation from Technology, Risk, Legal, Compliance, Privacy and Internal Audit functions; and - Cybersecurity risk insurance to provide protection against potential losses arising from a cybersecurity incident. Our IT risk program also includes an incident response plan that provides for how we detect, respond to and recover from cybersecurity incidents, which include processes designed to triage, assess severity, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our brand and reputation. As part of the above processes, we regularly engage with assessors, consultants, auditors and other third parties, including by annually having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our client or employee data or our systems. Cybersecurity considerations affect the selection and oversight of our third-party service providers. Although we perform diligence on third parties and monitor cybersecurity threat risks identified through such diligence, we cannot guarantee that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks and other assets owned or controlled by third parties. In the last three fiscal years we have not identified any material cybersecurity incidents and have not identified any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, and the expenses we have incurred from any cybersecurity incidents over the last three fiscal years were immaterial. Furthermore, we have not been penalized or paid any amount under an information security breach settlement in the last three fiscal years. There can be no guarantee that we will not experience such an incident or incur such expenses in the future. For more information on our cybersecurity risks, see “Technology Risks” included as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors (“Board”) and management. The Audit and Risk Committee (the “Audit Committee”) of our Board is responsible for the oversight of risks from cybersecurity threats. On a quarterly basis, our CISO updates the Audit Committee on the Company’s IT security program, including an overview of risks and trends, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and cybersecurity threat developments, as well as the steps management has taken to respond to these topics. This quarterly update is also made available to the full Board, and the Chair of the Audit Committee informs the Board of any key updates during quarterly reports to the Board. Material cybersecurity risks are also considered during Board and Committee discussions of matters such as enterprise risk management, operational and strategic planning, business continuity planning, mergers and acquisitions, reputation management and other relevant matters. The Board periodically conducts education sessions on cybersecurity trends and risks. Our cybersecurity risk management processes, which are discussed in greater detail above, are led by our CISO , who has over 20 years of work experience relating to cybersecurity, including at major financial institutions and consulting firms, involving the management of information security and the development of cybersecurity strategy, as well as relevant degrees and certifications, including holding a Bachelor of Science degree in Electrical and Computer Engineering. Our CISO oversees a team of approximately 31 Table of Content s 50 professionals charged with the ongoing management of our cybersecurity risk and strategy. These employees monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, including through the operation of our ITROC, incident response plan and other processes. Our cybersecurity team includes managers that have expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degrees or other cybersecurity experience.

Company Information