Morningstar, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Morningstar, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 15:45:37 EST.

Filings

10-K filed on 2025-02-28

Morningstar, Inc. filed a 10-K at 2025-02-28 15:45:37 EST
Accession Number: 0001289419-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The purpose of our information security program is to enable the business to effectively identify, assess, prioritize and manage cybersecurity risk in order to support our long-term corporate objectives and to protect our employees, customers, and company assets from threats to our information systems. Cybersecurity is a critical component of our enterprise risk management and the company has identified cybersecurity as one of the key risk categories it faces. Risk Management and Strategy Morningstar takes a risk-based approach for managing its cybersecurity program . The program is evaluated periodically, including against the NIST Cybersecurity Framework, most recently in 2024. The outcome of these reviews, as well as any changes implemented as a result of these reviews, are reported to the audit committee of our board of directors (the Audit Committee). Morningstar deploys various safeguards to help protect against cybersecurity threats, including but not limited to, anti-malware (EDR) tools, email security, web filtering, multi-factor authentication and single-sign-on, regular patch cadence and vulnerability management, and hardened laptops with full disk encryption and admin permissions removed. For in-house developed software, Morningstar deploys various security tools to detect vulnerabilities, including but not limited to, static application security and dynamic application security testing, software composition analysis tooling, cloud security posture management and central logging. We engage a third-party to conduct a NIST CSF assessment to measure the completeness and readiness of our cybersecurity program and have a third-party perform a security assessment of our network annually. Additionally, we have application security assessments and SOC 2 certifications performed by a third-party on products where we deem them beneficial. The company’s team of information security professionals (InfoSec Team), conducts vulnerability scans and third-party security assessments of operating systems, network devices, and web-facing applications. We require all Morningstar products to follow enterprise-wide Disaster Recovery (DR) standards. Identified vulnerabilities and DR tasks are assigned to appropriate owners and on a weekly basis we produce a cybersecurity scorecard for each Morningstar product. These scorecards are disseminated to the relevant leadership team. The InfoSec Team, under the supervision of the chief information security officer (CISO), has also implemented processes to evaluate cybersecurity controls of third-party service providers. As part of the company’s processes for engaging vendors, subcontractors and other third-parties, the InfoSec Team evaluates any such entities that may process confidential information prior to conducting business with them. We also evaluate the security status of our critical third parties periodically to determine whether they continue to meet our security standards. Employees undergo annual security awareness training, and a quarterly phishing exercise is conducted. Quarterly security incident tabletop exercises are conducted with appropriate stakeholders to practice response procedures, and an annual tabletop exercise is conducted with the executive leadership team to test our enterprise resilience. The enterprise resilience team manages both disaster recovery as well as business continuity plans in preparation to recover from high-impact incidents. We believe that currently we have not encountered a cybersecurity event that has had a material impact on our business, financial condition, or results of our operation. We continue to invest in our IT security infrastructure, InfoSec Program and to enhance our internal controls and processes to help protect our business from cybersecurity threats. For a discussion of the risks cybersecurity threats pose to our business strategy, results of operations and financial condition, please see “Item 1A. Risk Factors - Risks Related to Our Information Technology and Security” in this Report. Governance Our experienced InfoSec Team is headed by our CISO , who reports to a member of our executive leadership team. Our CISO holds a Ph.D. in Computer Science with a focus on Cybersecurity and Privacy and has more than 15 years of information security experience. The InfoSec Team is responsible for assessing and managing cybersecurity risks and threats. The InfoSec Team manages our Information Security Program (InfoSec Program), which has oversight of IT risk governance, IT third-party risk management, software and product security, security operations and incident management, IT compliance, technical disaster recovery, and establishing enterprise-wide information security policies and procedures. Our CISO also meets regularly with senior leaders from the IT, Legal, Audit, and Compliance departments to discuss environmental, regulatory, and technological changes and associated risks to the security and confidentiality of our information. Our Board of Directors has delegated oversight of cybersecurity risks to the Audit Committee. The Audit Committee reviews and discusses with management risks relating to our cybersecurity and data privacy practices and has oversight of our cybersecurity risks. Our Chief Information Officer (CIO) and CISO provide an update to the Audit Committee at each of its regular meetings, which covers recent trends, identifies emergent risks to our technology infrastructure, DR plan statistics, employee training metrics, and major updates on security assessments and threat landscape as needed. The Audit Committee is also provided a summary of events and reporting on how any such events were resolved. Cybersecurity Event Management We have instituted a specific event management process for the monitoring, prevention, detection, identification, mitigation, and remediation of cybersecurity incidents. Cybersecurity incidents are responded to and managed by our 24-hour Security Operations Center (SOC), and technical outages/accidental occurrences are reviewed and managed by operational teams at the relevant Morningstar product and by the SOC. Upon resolution of a cybersecurity incident, we conduct a retrospective analysis to inform our security and operational efforts going forward. We engage third parties , such as incident response service providers, as appropriate, based on the severity of the cybersecurity event and/or the work required to remediate. Upon identification of a cybersecurity event, we assign a significance rating to the event. All cybersecurity events that meet or exceed designated criteria are escalated to the CISO or CIO. Cybersecurity events which may be significant are further escalated to the Cyber Incident Disclosure Committee (Cyber Committee). The Cyber Committee consists of the CIO, the CISO, the chief privacy officer, the chief legal officer, the head of corporate communications, representatives of the affected business unit and/or their respective delegates.

Company Information