Invesco Ltd. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Invesco Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 13:27:00 EST.

Filings

10-K filed on 2025-02-25

Invesco Ltd. filed a 10-K at 2025-02-25 13:27:00 EST
Accession Number: 0000914208-25-000114

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber threats are considered one of the most significant risks facing financial institutions. To mitigate that risk, we have a designated Global Chief Security Officer (GCSO) who leads our Global Security Department, which is responsible for identifying, assessing, and managing cybersecurity threats. Our GCSO has experience in the public and private sectors, specializing in security, investigations, and incident response. The Global Security Department oversees, among others, the following groups across Invesco: Information Security, Strategic Intelligence, Corporate Security, Business Continuity, Crisis Management, Global Privacy Office, Business Security, Projects and Strategy. This structure supports a more comprehensive, holistic approach to keeping our clients, employees, and critical assets safe, upholding privacy rights, and enabling a secure and resilient business. The information security program for the company, excluding the subsidiary noted below, is led by our Chief Information Security Officer ( CISO ) who reports directly to the GCSO and has extensive experience in information security and risk management. Our information security program is designed to oversee all aspects of information security risk and seeks to ensure the confidentiality, integrity, and availability of information assets, including the implementation of controls aligned with industry guidelines and applicable statutes and regulations to identify threats, detect attacks and protect our information assets. One company subsidiary operates on a distinct network and, therefore, manages its own information security program in close coordination with our Global Security Department. This subsidiary’s program aligns with all aspects of the company’s information security program and is led by a dedicated CISO who reports to the Chief Operating Officer of the subsidiary and has comprehensive experience managing cybersecurity programs. The GCSO has indirect oversight of the subsidiary’s CISO and its information security program. Our cybersecurity programs include the following: - Proactive assessments of technical infrastructure and security resilience are performed on a regular basis, which include penetration testing, offensive testing and maturity assessments. - Conducting due diligence on third-party service providers regarding cybersecurity risks prior to on-boarding, periodic assessment of cybersecurity risks for existing third-party service providers and continuous monitoring for new third-party cybersecurity incidents. - An incident response program that includes periodic testing and is designed to restore business operations as quickly and as orderly as possible in the event of a cybersecurity incident at Invesco or a third-party. - Mandatory annual employee security awareness training, which focuses on cyber threats and security in general. - Regular cyber phishing tests throughout the year to measure and raise employee awareness of cyber phishing threats. Important to these programs is our investment in threat intelligence, our active engagement in industry and government security-related forums, and our utilization of external experts to challenge our program maturity, assess our controls and routinely test our capabilities. The company’s Board oversees cybersecurity risk and receives updates, at a minimum, twice a year regarding cybersecurity, including risks and protections. The Global Operational Risk Management Committee, one of the company’s risk management committees, provides executive-level oversight and monitoring of the end-to-end programs dedicated to managing information security and cyber related risk. The members of this Committee include the Chief Information and Operations Officer, Chief Risk and Audit Officer, General Counsel, Chief Financial Officer, Chief Human Resources Officer, Global Head of Compliance, as well as other Global Operational Risk Owners which includes the GCSO. The Committee reports to the Enterprise Risk Management Committee, which provides updates to the Board to facilitate its oversight. For the subsidiary referenced above, an Enterprise Risk Management Steering Committee provides executive-level oversight and monitoring of its programs that manage information security and cyber related risk. The members of this Enterprise Risk Management Steering Committee include the subsidiary’s Chief Executive Officer (CEO), Chief Operating Officer, Head of Risk, Head of Legal, Head of Privacy and the subsidiary’s CISO, as well as the company’s GCSO and CISO. The subsidiary’s CISO provides updates to the Board to facilitate its oversight at least annually. As of December 31, 2024, we have not experienced any cyber incidents that have materially affected or are reasonably likely to materially affect Invesco’s business strategy, results of operations or financial condition.

Company Information