COHEN & STEERS, INC. 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

COHEN & STEERS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 09:06:24 EST.

Filings

10-K filed on 2025-02-21

COHEN & STEERS, INC. filed a 10-K at 2025-02-21 09:06:24 EST
Accession Number: 0001284812-25-000087

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity is a crucial component of our enterprise risk management program. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and information relating to our clients and investments. Our cybersecurity risk management function is led by our Cybersecurity Management team which is comprised of our Chief Information Security Officer (CISO), Chief Technology Officer (CTO), members of our Information Technology (IT) department, as well as members of our Legal and Compliance Departments. Our Cybersecurity Management team is primarily responsible for developing, implementing and monitoring our cybersecurity program and reporting on cybersecurity matters to senior management as well as our board of directors. Members of our Cybersecurity Management identify and assess risks from cybersecurity threats by monitoring our threat environment and the Company’s enterprise risk profile using various manual and automated tools as well as by: (i) utilizing shared information about vulnerabilities and exploits from professional security organizations, reports or other services that identify cybersecurity threats and through the use of external intelligence feeds; (ii) analyzing reports of threats and actors; (iii) conducting periodic vulnerability scans of the Company’s IT environment; (iv) evaluating our and our industry’s risk profile; (v) evaluating threats that are reported to us; (vi) coordinating with law enforcement concerning threats; (vii) conducting internal and external audits of our information security control environment and operating effectiveness; and (viii) conducting threat assessments for internal and external threats, including through the use of third party threat assessments and vulnerability threat assessments. We implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats, including, but not limited to: - technical and physical safeguards : (i) real-time security information and event monitoring of systems, workstations, servers and networks, and periodic internal and external vulnerability scans; (ii) asset management tracking and disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from Company personnel and from third parties regarding issues and signs of potential incidents; and (vi) logical access controls and network security controls; and - organizational safeguards : (i) incident response plans that address our response to a cybersecurity incident; (ii) personnel and vendors dedicated to overseeing the Company’s cybersecurity program; (iii) periodic mandatory employee cybersecurity training; (iv) periodic risk assessments and testing of our policies, standards, processes and practices designed to address cybersecurity threats and incidents; (v) policies and programs such as security standards, a vendor risk management program, a vulnerability management policy and disaster recovery and business continuity plans; and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents. Cybersecurity risk management is integrated into the Company’s overall enterprise risk management (ERM) process. For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by our information technology security team; (ii) internal and external penetration tests are performed to identify vulnerabilities and findings are risk ranked based on potential likelihood and impact; and (iii) members of Cybersecurity Management report on cybersecurity risk management and related matters to the audit committee of the board of directors, as part of their ongoing evaluation and oversight of overall enterprise risk pursuant to non-exclusive authority delegated by the board of directors. We use third-party service providers to assist us in identifying, assessing and monitoring material risks from cybersecurity threats, including through penetration testing, provision of threat intelligence and continuous monitoring of our environment. We report key findings to the audit committee of the board of directors and, if appropriate, the board of directors and adjust our cybersecurity policies, standards, processes and practices as necessary based in part on information provided by these assessments and engagements. 17 We also use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies and supply chain resources. We maintain a risk-based approach to identifying and overseeing cybersecurity risks and vulnerabilities presented by our engagement of third parties, as well as the information systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Our vendor risk management program may involve different assessments designed to help identify cybersecurity risks including: (i) vendor risk assessments; (ii) security questionnaires; (iii) vendor audits; (iv) vulnerability scans relating to vendors; (v) security assessment calls with the vendor’s security personnel and our review of the vendor’s written security program, security assessments and other reports; (vi) evidence of cybersecurity preparedness through a System and Organization Controls (SOC) 1 or SOC 2 report; and (vii) the imposition of contractual obligations on the vendor . For a description of the risks from cybersecurity threats that may materially affect the Company, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the caption “We could incur financial losses, reputational harm and regulatory penalties if we fail to implement effective information security policies and procedures.” Governance Our cybersecurity risk assessment and management processes are implemented and maintained by members of our Cybersecurity Management, including our CISO, CTO and our Head of IT Infrastructure . - Our CISO oversees the information security group and program within our IT department with over 25 years of experience, including similar roles at other financial services companies, and holds the Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certifications and is registered with FINRA for the Series 99. - Our CTO oversees our IT department and has served in various roles in information technology for over 29 years, including senior leadership roles at another financial services company. - Our Head of IT Infrastructure oversees the infrastructure and service desk within our IT department and has served in various roles in information technology for over 21 years. Members of our Cybersecurity Management, including our CISO and our CTO, are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel. Members of our Cybersecurity Management, including our CISO and our CTO, are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is a key component of our cybersecurity program. The response plan is designed to report certain cybersecurity incidents to members of Cybersecurity Management, who then work with the Company’s incident response team to help control, mitigate and remediate cybersecurity incidents. In addition, the response plan includes prompt reporting to the board of directors (or audit committee) of certain cybersecurity incidents and related materiality and disclosure determinations. The audit committee of the board of directors actively participates in discussions regarding cybersecurity risk exposures and steps taken by management to monitor and mitigate such risks, further to their responsibility to manage, oversee and remain informed about the most significant risks to Company and align our risk exposure with our strategic and business objectives. At least annually, the audit committee reviews with our CTO and CISO the Company’s cybersecurity program, including the robustness and efficacy of the overall cybersecurity program, steps taken to enhance defenses and security measures in place and our established plans to identify, detect and respond to potential threats. The audit committee also annually reviews and discusses the ERM process and risk assessment, as well as the Company’s cyber insurance coverage. Additionally, the audit committee of the board of directors receives reports and communications from our CTO and our Chief Operating Officer regarding material risks and specific developments related to the changing cybersecurity landscape and the Company’s operating, technology and control environment. Such reports may cover topics such as: investments made in our cyber infrastructure; technology projects and initiatives; vulnerability assessments and key findings from external cyber experts; the impact of new cybersecurity-related rules and regulations; changes in the threat environment; and evolving information security standards and market practices. As of December 31, 2024, we have not experienced any cyber incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. 18

Company Information