ALLIANCEBERNSTEIN HOLDING L.P. 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

ALLIANCEBERNSTEIN HOLDING L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 16:24:33 EST.

Filings

10-K filed on 2025-02-14

ALLIANCEBERNSTEIN HOLDING L.P. filed a 10-K at 2025-02-14 16:24:33 EST
Accession Number: 0000825313-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy Through a combination of security, risk and compliance resources, AB implements information security through a dedicated Information Security Program (" ISP “) that is intended to identify, assess and manage material risks from cybersecurity threats and which includes a focus on safeguarding information and assets from cyber threats, engaging in cyber threat monitoring and responding to actual or potential cyber incidents. Our ISP is led by our Chief Information Security Officer (” CISO “) who actively partners with our Chief Compliance Officer (” CCO “) and Chief Risk Officer “(” CRO “). Ultimately, our ISP is part of our full enterprise risk framework, which includes information technology, business continuity and resiliency, in addition to cybersecurity risk. Our ISP is coordinated with our broader risk management team, including our Chief Security Officer. Enterprise risk, including cybersecurity risk, is overseen by the Audit and Risk Committee on behalf of the Board. 24 AllianceBernstein Table of Contents Part I Our CISO, with assistance from internal and external resources, is responsible for implementing and providing oversight of our ISP. The ISP employs a defense-in-depth strategy: an information assurance concept in which multiple layers of security controls are distributed throughout an operating environment. The defense-in-depth strategy manages risk with diverse defensive strategies, so that if one layer of defense fails, another layer of defense will attempt to compensate. Our ISP features cybersecurity policies, standards and guidelines, committee governance, training, access controls and data controls. We periodically execute table top exercises as a part of our ISP program. Our ISP, together with our risk and compliance resources, proactively manage the risk of threat from cybersecurity incidents through (i) implementing protocols to take cybersecurity considerations into account in adopting and onboarding our technology resources, (ii) monitoring IT controls to better ensure compliance with cybersecurity and other related legal and regulatory requirements, (iii) periodically assessing adherence by critical and material third parties we partner with to ensure that the appropriate risk management standards are met, (iv) essential business functions remaining available during a business disruption, and (v) regularly developing and updating response plans to address potential IT or cyber incidents should they occur. We also maintain an operational security function that has a real time response capability that triages potential incidents and triggers, as appropriate, impact mitigation protocols. Additionally, we utilize third parties to conduct periodic cybersecurity assessments to identify, assess, manage, and as appropriate, mitigate and respond to cybersecurity risks, and our internal audit function includes certain cyber risk audits as part of its overall risk audit. Our cybersecurity processes rely predominantly on internal resources, but also include important third party resources for certain matters, including the aforementioned assessments as well as our continuous cybersecurity threat monitoring and initial incident reporting system. As part of our ISP, we also perform cyber risk assessments on our third party vendors where we deem appropriate based on our risk assessment of such vendors, then periodically thereafter. As of the date of this report, the Company is not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, financial condition or results of operations. However, there can be no assurance that the Company will not be materially affected by such risks. See Item 1A Risk Factors - Operations, Technology and Cyber-Related Risks for a discussion of cybersecurity risks. Cyber Risk Governance The Audit and Risk Committee is responsible for assisting the Board with oversight of our enterprise risk framework, including cybersecurity, information security, information technology and business continuity and resiliency. Our CISO and other members of senior management including our General Counsel, CCO and CRO report quarterly to the Audit and Risk Committee at its regular meetings on the status of the Company’s cybersecurity risk, risk management policies and risk assessment initiatives. The full Board is updated on an as needed basis. In addition, management updates the Audit and Risk Committee, as appropriate, regarding any material cybersecurity threats or incidents, as well as any incidents with lesser impact potential. While our Board provides oversight of our cybersecurity risk environment, the ultimate responsibility for our processes for identifying, assessing and managing cybersecurity risks resides with management. Our CISO, with assistance from internal and external resources, is responsible for the implementation and providing oversight to our ISP within the organization and maintaining the appropriate level of expertise to manage and implement cybersecurity policies, programs and strategies. Our CISO has years of applied experience in actively managing cybersecurity and information security programs for large global publicly traded companies with complex and evolving information systems. Management oversight of our ISP is provided by various governance committees including the Operational Risk Oversight Committee, the Information Security Risk Oversight Subcommittee and the Financial Crimes Control Oversight Subcommittee. 2024 Annual Report Part I

Company Information