CME GROUP INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

CME GROUP INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:30:05 EST.

Filings

10-K filed on 2025-02-27

CME GROUP INC. filed a 10-K at 2025-02-27 16:30:05 EST
Accession Number: 0001156375-25-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As a highly regulated global financial services company, we understand the substantial operational risks for companies in our industry as well as the importance of protecting the information and data of our clients, third parties and employees and the resilience of our systems. As such, our Global Informational Security (GIS) Program is designed and operated to mitigate information security risks and threats to the company. Its intent is to safeguard the confidentiality, integrity and availability of our information and services. The GIS Program is designed to strengthen the integrity of the global markets we support, protect CME Group’s information assets, maintain client, third party and employee trust, support our pursuit of strategic objectives, contribute to shareholder value and preserve our reputation and brand. We implement technical, physical and administrative safeguards to protect the confidential and sensitive information of our clients, third parties, employees and other information under CME Group’s stewardship. We manage cybersecurity risk to the organization as part of our business strategy, risk management and financial functions in alignment with our overall Enterprise Risk Management Program and regularly engage with the risk committee of the board of directors and the board of directors as a whole regarding the effectiveness of the GIS Program and the management of our cybersecurity risks. The GIS Program is led by CME Group’s Chief Information Security Officer (CISO), who has worked in various roles in information security for over 20 years and has led our GIS Program for more than five years since joining the company in 2016 in a senior role in GIS. The CISO reports to our Chief Information Officer (CIO), a member of our Management Team. Our GIS team is comprised of over 200 full-time employees, many of whom hold cybersecurity, risk, or management certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, Certified in Risk and Information Systems Control, Series 99, Certified Information Systems Auditor, Project Management Professional, various cloud provider certifications and various levels of ITIL certifications. As part of our GIS Program, CME Group operates a Cyber Defense Center that virtually links 24/7 to our international cybersecurity teams and serves as a global hub for cybersecurity risk management activities, including log collection, event monitoring, threat detection and incident response, resiliency, operations, vulnerability management and the proactive collection and processing of both open source and proprietary threat and intelligence feeds allowing the company to efficiently manage, investigate and respond to cybersecurity events. Our GIS team conducts analyses and aims to prevent, detect and respond to systemic events that might threaten our company, industry or the economy. The GIS Program includes a Cyber Defense team, which manages the Incident Response Plan (IRP), and consists of subject matter experts from GIS and Information Governance, who work together to monitor and respond to cybersecurity incidents. The IRP outlines our cyber and incident response policies and governs our incident response lifecycle, which divides overall incident response into serial phases. The Crisis Management Team (CMT) is responsible for oversight during an incident, in conjunction with the Cyber Coordination Team (CCT). The CCT manages responses to cybersecurity and compliance incidents, collaborating with subject matter experts from various departments in response to specific incidents. When an incident reaches a certain threshold of severity, our CISO and CIO escalate the matter to our Chief Operating Officer, who is another member of our Management Team, to determine next steps, as well as possible customer and external communication. Throughout the incident response process, the Legal team is engaged, as appropriate, and helps consider whether disclosure is required once a determination is made in connection with the company’s leadership and the CMT. We identify, assess and manage material risks from cybersecurity threats through our GIS Program as follows: - We deploy a defense-in-depth strategy, acknowledging the importance of people, processes and technology in upholding information security. The strategy incorporates multiple layers of controls, including, monitoring, vulnerability management, identity and access management and security assessments. - Our program is aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST) and other technical standards and frameworks. - We have a robust cybersecurity defense response plan that provides a documented framework for handling security incidents and facilitates coordination across multiple parts of the company. - We invest in threat intelligence and operate a Cyber Defense Center, which acts as our hub of information sharing and threat intelligence analysis. - We incorporate external expertise and reviews into our cybersecurity risk management program and continue to engage leading professional consulting firms to assist our company in incorporating cybersecurity best practices. - We provide annual cybersecurity awareness and ongoing phishing training, and we routinely conduct cybersecurity attack simulation exercises, which includes participation from various levels of management. - Following a risk-based approach, we conduct due diligence reviews of our third party providers for potential cybersecurity risks to the company. We also maintain a cross-functional Third Party Risk Management program, which partners with our GIS, Information Governance, and Operational Resilience teams, among others, to manage and monitor third party risk presented by CME Group vendors and certain third parties of third parties (fourth parties). The teams conduct initial due diligence on vendors and monitor cyber-related incidents and known vulnerabilities with the goal of enhancing processes, improving risk management and partnering on exit planning and testing for certain vendors associated with essential functions. - We have insurance against certain cybersecurity and privacy risks and attacks. - We are an active participant in the financial services industry and government forums and information sharing programs, designed to improve both internal and sector cybersecurity defense. These valuable external partnerships are established and maintained in order to gain more timely, comprehensive and actionable threat information across geographies and industries and to facilitate the exchange of best practices and security techniques. They allow for a high degree of collaboration and cooperation with local, state, federal, and international law enforcement and intelligence agencies, industry groups, and other private sector chief information security officers. - We regularly test the design and effectiveness of our information security controls and processes through a program of testing performed by internal and independent third-party teams. Remediation of gaps and opportunities identified through testing are tracked through to closure. Testing activities support a variety of regulatory requirements and external industry certifications held by CME Group. The board provides oversight of cybersecurity risks and has designated primary responsibility to the risk committee which oversees our information security programs, including cybersecurity, and is actively involved in monitoring the progress of key cybersecurity initiatives. Our board and risk committee receive regular updates on the activities and effectiveness of our GIS Program, including reports on incident response plan testing exercises and results of compliance testing and third-party evaluation results. Our CISO provides quarterly, or as needed, reports and updates to our board and risk committee on the company’s cybersecurity risk management program and meets with the risk committee at least annually in a private session. The CISO has an indirect reporting line to the risk committee. We also engage with leading professional consulting firms to provide periodic updates to the board on cybersecurity-related risks in the evolving threat landscape and to provide education on best practices for board oversight of our GIS Program. To date, the company is not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the company, including our business strategy, results of operations or financial condition. See “Item 1A - Risk Factors” beginning on page 16 for additional information on cyber attacks and other cybersecurity risks the company faces.

Company Information