Victory Capital Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Victory Capital Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 13:30:16 EST.

Filings

10-K filed on 2025-02-28

Victory Capital Holdings, Inc. filed a 10-K at 2025-02-28 13:30:16 EST
Accession Number: 0000950170-25-029770

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our Information Security Committee (the “ISC”) oversees and implements a cybersecurity program that seeks to assess, identify and protect against cyber security threats and detect, respond, and recover from cyber security incidents. The program is modeled upon the National Institute of Standards and Technology Cybersecurity Framework, a well-established and widely adopted framework in the financial services industry. The ISC is chaired by our Chief Information Security Officer (“CISO”) and membership includes executive and management level representation from our technology, legal, and compliance departments. Our cybersecurity program assesses our cybersecurity risk profile through inventories of physical devices, software, and information systems, evaluations of critical third-party systems, and a catalog of security risks. Periodic assessments are conducted to ensure the risk catalog is up to date. We protect our information systems, data, and network through technical and procedural controls and security awareness training. We deploy multiple technical controls to achieve a layered security strategy including systems access controls, firewalls, web application gateways, antivirus software, e-mail filtering, and endpoint protection. Security awareness training is mandatory for all employees and conducted at time of hire and periodically thereafter. The security awareness training program is designed to ensure employees are prepared to identify and avoid cyber risks and may cover topics such as phishing, ransomware, social engineering, public Wi-Fi risks, password security, and mobile device security. Training is supplemented by testing initiatives, including periodic phishing tests, which may result in targeted or remedial training. We use a third-party security operations center and endpoint management and response service to continuously monitor information systems for emergent events including anomalous, suspicious, and unauthorized network activity. Detected events are immediately triaged and evaluated for threat potential and impact. We also engage third-party providers to perform penetration testing designed to identify vulnerabilities for remediation. We rotate penetration testing providers to diversify testing approaches. No known cybersecurity threats or incidents have materially affected, or are likely to materially affect, our business strategy, results of operations, or financial condition. While we maintain robust prevention and detection measures, we cannot eliminate all cybersecurity risks or guarantee absence of undetected incidents. For further details on cybersecurity risks, see “Item 1A. Risk Factors” in this Form 10-K. Governance Role of the Board of Directors and Management Our CISO and Chief Technology Officer (“CTO”) oversee the day-to-day technology and security activities. Our CISO has been with the firm since 2013 and has over 20 years of IT experience in various industries. He is a Certified Chief Information Security Officer from the Carnegie Mellon University executive education program, as well as a Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP). Our CTO joined the firm in 2020 with 30 years of IT experience, including over 20 years of executive level technology experience in the asset management industry. Both the CISO and CTO serve on the ISC. The Audit Committee of the Board of Directors oversees our enterprise risk management, which includes cybersecurity. The ISC provides a report on our cybersecurity program to our Board at least annually. Other key functions of the ISC are to align the overall security strategy with business objectives and to oversee the cataloging of cybersecurity risks and assessments. Additional review and oversight is provided by the Enterprise Risk Committee where cybersecurity risk is vetted against other risk categories. Management also maintains a Vendor Oversight Committee which governs the use of third-party vendors and assesses cybersecurity risk related to those vendors. The Enterprise Risk Committee and the Vendor Oversight Committee report their activities to the Audit Committee at least annually. The third-party security operations center, the endpoint managed detection and response service, and third-party penetration testing vendors are overseen by the CISO. In the event of a potential cybersecurity incident, the third-party security operations center is authorized to take preemptive action to address the incident and must promptly notify a member of the ISC. The ISC coordinates the response to and communication of an incident in accordance with our Incident Response Plan (“IRP”) and applicable law. The IRP is designed to provide guidance for effective, efficient, and orderly response to a variety of cybersecurity incidents. The ISC is responsible for communication escalation as necessary up to and including to the Board of Directors. The IRP is periodically exercised through tabletop exercises.

Company Information