Tradeweb Markets Inc. 10-K Cybersecurity GRC - 2024-02-09

Page last updated on April 11, 2024

Tradeweb Markets Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 16:03:29 EST.

Filings

10-K filed on 2024-02-09

Tradeweb Markets Inc. filed an 10-K at 2024-02-09 16:03:29 EST
Accession Number: 0001758730-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. As a leader in building and operating electronic marketplaces, we face a broad set of cybersecurity risks stemming from managing complex technology systems, handling sensitive data, and the digital nature of our business. Managing cybersecurity risk is critically important to our business. We have comprehensive cybersecurity risk management and governance systems in place across our global operations designed to support successful operation of our systems. Risk Management and Strategy We operate in an environment where cybersecurity risks is a dynamic and evolving factor. We are committed to appropriately managing and minimizing the impact of cybersecurity risk on the achievement of our business objectives. We view cybersecurity risk management as a fundamental business process essential to our overall success. As such, we have integrated our cybersecurity program into our comprehensive Risk Framework, which is in place to support the management and oversight of risk across our organization. The Risk Framework establishes a consistent approach for identifying, assessing, measuring, mitigating, and reporting on material risks, including cybersecurity risks. The Risk Framework is composed of process components such as risk governance, risk identification and assessment, risk measurement, risk response and remediation and risk analysis and reporting. 62 Table of Contents The general objectives for our cybersecurity program are to protect our information systems from cyber threats and to protect the confidentiality, integrity and availability of systems and information used, owned, or managed by Tradeweb and our customers. This involves a comprehensive and ongoing effort to protect against, detect, and respond to cybersecurity threats and vulnerabilities. Our cybersecurity program includes a number of components, such as: conducting regular risk assessments to identify potential vulnerabilities and threats; implementing strong cybersecurity frameworks by adopting policies, standards and guidelines derived from a combination of ISO/IEC 27001 principles, the National Institute of Standards and Technology Cybersecurity Framework and industry best practices; enforcing strict access control policies as appropriate; implementing strong encryption protocols; utilizing advanced threat detection systems; conducting regular security audits and penetration testing; conducting thorough security assessment of third-party vendors and service providers on an ongoing basis; and continuous monitoring of our and third-party systems. As part of our cybersecurity program, we have robust incident response and business continuity plans designed to provide a framework for quick and effective remediation of cyber issues, which are tested periodically throughout the year. Additionally, we have worked to create a culture of security by providing regular cybersecurity training to employees to raise awareness about various cyber threats like phishing, social engineering, and insider threats. We provide additional targeted training to individuals responsible for managing our information systems. We also maintain cyber insurance coverage intended to mitigate certain costs associated with certain cybersecurity events. In addition, each year, we undergo System and Organization Controls ( SOC ) 1 and SOC 2 audit reviews performed by an independent third-party firm to test our information technology systems internal controls. In 2023, we also engaged a third-party service provider to conduct a cybersecurity maturity assessment of our information security program. We also regularly engage additional assessors, auditors and service providers in connection with the implementation, assessment, enhancement and evaluation of our cybersecurity program, including our risk management processes. We have not been a victim of a cyber-attack or other cybersecurity incident that has had a material impact on us, our business strategy, results of operations or financial condition; however, we have from time to time experienced non-significant cybersecurity events, including attempted denial of service attacks, malware infections, phishing and other information technology events that are typical for an electronic financial services company of our size. An actual, threatened or perceived cyber-attack or breach of our security could materially affect us, including our business strategy, results of operations and financial condition in many ways, including through the loss of clients or client confidence, expenditure of significant costs to repair system, network or infrastructure damages as well as to protect against future cyber-attacks, security breaches or harm and potential litigation or other claims or actions, including from regulatory agencies. For additional information regarding risks related to cybersecurity threats, see Part I, Item 1A. Risk Factors Risks Relating to Cybersecurity and Intellectual Property Actual or perceived security vulnerabilities in our systems, networks and infrastructure, breaches of security controls, unauthorized access to confidential or personal information or cyber-attacks could harm our business, reputation and results of operations and Systems failures, interruptions, delays in service, catastrophic events and resulting interruptions in the availability of our platforms or solutions could materially harm our business and reputation. Governance Role of our Board of Directors The Board of Directors of Tradeweb Markets Inc. exercises direct oversight of the strategic risks to the Company. The Audit Committee of the Board reviews guidelines and policies governing the process by which senior management assesses and manages our exposure to risk, including our major financial and operational risk exposures including those derived from cybersecurity risk, and the steps management takes to monitor and control such exposures. Our Board and our Audit Committee each receive periodic reports from our Chief Information Security Officer and Chief Risk Officer to assess key cybersecurity risks for the Company and the measures implemented to mitigate them, as well as updates regarding changes to our cybersecurity risk profile or newly identified significant risks. In addition, the Audit Committee reports to the Board on these matters at each regularly scheduled Board meeting. The Board and Audit Committee provide feedback and recommendations accordingly. 63 Table of Contents Role of Management We operate on a three lines of defense risk governance model, with partnership and communication across the three lines. The first line of defense is comprised of the business and technology managers, the second line of defense is comprised of the Compliance, Risk and Information Security teams and the third line of defense is comprised of the Internal Audit function. The second and third lines of defense focus on providing the first line of defense with advisory and assurance functions for informed and actionable risk-based decisions. The Enterprise Risk Committee (the ERC ) is chaired by our Chief Risk Officer and includes our President, Chief Technology Officer, General Counsel, Global Head of Enterprise Risk, Chief Information Security Officer, Head of Global Compliance, Global Head of Human Resources, Head of Internal Audit and various global heads of business lines and corporate functions. The ERC is responsible for the governance and oversight of our Risk Framework, which includes cybersecurity risks. Its responsibilities include, supervising risk mitigation strategies and their implementation, overseeing compliance and regulatory aspects, managing crisis, approving risk tolerance, reviewing and approving material policy changes and evaluating the effectiveness of the organization s risk management practices. The ERC regularly obtains reports from the Chief Information Security Officer who maintains the primary responsibility for assessing and managing the cybersecurity risks, to evaluate the principal cybersecurity risks for the Company and review strategies in place to mitigate them. The ERC meets quarterly and reports to senior management, including the Chief Executive Officer and Chief Financial Officer. Senior management provides oversight and support in aligning cyber risk management with the Company s strategic decisions, fostering a culture of risk awareness across the organization and allocating adequate resources to support the initiatives. Our Chief Information Security Officer leads a highly qualified cybersecurity team in assessing, managing and reducing material risks from cybersecurity threats to protect critical operations and delivery of service. Our Chief Information Security Officer has over 25 years of industry experience, with more than a decade of CISO experience at various financial institutions. Many members of the cybersecurity team hold Certified Information Systems Security Professional and Certified Information Systems Auditor certifications. In addition, our Global Head of Enterprise Risk has over a decade of experience managing enterprise risk programs and maintains multiple information security certifications. We also belong to several professional and recognized industry organizations related to cybersecurity, including FS-ISAC, FCA Cyber Coordination Group and SIFMA in order to stay up-to-date on industry-wide trends.

Company Information