WESTWOOD HOLDINGS GROUP INC 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

WESTWOOD HOLDINGS GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:47:03 EST.

Filings

10-K filed on 2025-03-05

WESTWOOD HOLDINGS GROUP INC filed a 10-K at 2025-03-05 16:47:03 EST
Accession Number: 0001165002-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have invested significantly over the past several years to enhance our cybersecurity governance. We have expanded our control access to data and systems, invested in firewalls and security systems, elevated internal awareness through trainings and exercises, and upgraded our systems, programs and intrusion monitoring. We conduct periodic vulnerability assessments based on our use of technology, third party vendor relationships and reported changes in cybercrime methodologies, and in response to any attempted cyber incident, among other circumstances. Our goal is to protect all the assets of our clients and safeguard the proprietary and confidential information of Westwood and its employees, which is a fundamental responsibility of every Westwood employee. Westwood is responsible for distributing our policies and procedures to employees and conducting appropriate employee training to ensure employees’ adherence to our policies and procedures. Repeated or serious violations of our policies by employees or independent contractors may result in disciplinary action against such persons, which may include restricted permissions or prohibitions and/or termination. Our President and Chief Operating Officer is responsible for reviewing, maintaining and enforcing our policies and procedures to ensure we meet our overall cybersecurity goals and objectives, while at a minimum, ensuring compliance with applicable federal and state laws and regulations. We have designed procedures to implement our cybersecurity policy, minimize cybersecurity threats to our clients and conduct reviews to monitor and ensure our policy is observed, properly implemented and amended or updated as necessary, including cybersecurity oversight, periodic risk assessments and external consultant reviews, access restrictions, ongoing training, governance policies and procedures, authentication protocols, secure access measures, and policies for elevating suspicious activities. Westwood has an established vendor management policy, which considers risks related to new or existing vendors, defines new vendor selection, vendor renewal, vendor monitoring and vendor risk assessment. The review of vendors is led by our Chief Compliance Officer and each vendor relationship owner, and involves reviewing System and Organization Controls reports, Statement on Standards for Attestation Engagements number 18 reports, and other reviews of internal controls. Westwood’s Board is responsible for overseeing the effective execution of our overall cybersecurity programs. Along with management, our Board reviews our cybersecurity efforts and programs and is informed of cybersecurity risks primarily through discussions with management, educational sessions and exercises. Our Board’s responsibilities include, but are not limited to: 20 a. Overseeing effective implementation of cybersecurity initiatives and alignment with our policies and strategies; b. Oversight of the continued and consistent implementation of our cybersecurity policies and procedures; and c. Promoting overall corporate commitment to cybersecurity. Westwood management is responsible for the execution of the framework for the management of our information security. These responsibilities include, but are not limited to: a. Designing, implementing and executing our framework for information security management; b. Reviewing and updating our policies and procedures annually; c. Assigning all data within Westwood to an appropriate owner, and ensuring data owners have knowledge of such data and have an information classification selected for that data; d. Ensuring annual compliance with our information security management policies and procedures; e. Application and execution of our risk management framework in the event of a potential issue; and f. Development and execution of an action plan for each potential issue to address risks via remediating, mitigating, accepting or closing the issue. Our management members, specifically our Chief Executive Officer, Chief Financial Officer, President and Chief Operating Officer, Information Security Officer and Chief Compliance Officer, have cybersecurity expertise gained through years of training, internal and external discussions, numerous learning exercises, and development, execution and evaluation of our cybersecurity policies. If a potential cybersecurity breach were to be identified, management would implement its incident response plan. This plan, which provides for a quick, effective and orderly response to information security incidents relies on our Incident Response Team (“IRT”) to report findings to management and the appropriate authorities as necessary. The IRT, comprised of various cross-functional subject matter experts, is also responsible for: a. detecting and analyzing suspicious events that might indicate a breach has occurred; and b. containing, eradicating and restoring normal operations through quick responses, isolating and preserving evidence to aid in remediation and assisting investigators, isolating additional systems from being impacted by the situation being remediated, tracking issues, communicating a strategy and protocol to follow to maintain control of information and confidentiality and to ensure members of the IRT and Westwood management are kept informed of issues as the incident develops and is resolved, and developing and implementing strategies for ensuring the integrity of impacted information systems and critical information hosted on those systems. In the event of a cybersecurity breach Westwood management notifies our Board as soon as practicable, along with other affected parties including clients, regulatory bodies, third parties and employees, as necessary and required by applicable laws and regulations.

Company Information