Virtu Financial, Inc. 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

Virtu Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:30:10 EST.

Filings

10-K filed on 2024-02-16

Virtu Financial, Inc. filed an 10-K at 2024-02-16 16:30:10 EST
Accession Number: 0001592386-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Virtu has established a Global Security team that, together with the Company’s Chief Information Security Officer ( CISO ), is responsible for the strategic planning, execution, and enforcement of security initiatives and policies for the Company s business units (the Security Program ). The CISO reports directly to the Chief Executive Officer, and together with the Global Security team, possesses significant experience in various roles involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. As part of its Security Program, the Company has developed policies and procedures governing cybersecurity (the Cybersecurity Program ). Virtu s Cybersecurity Program is driven by a threat analysis, laying out standards and requirements pertaining to, but not limited to, penetration testing, endpoint protection, incident management, access controls, mobile security, data classification, third-party access, encryption, system hardening and patching, vulnerability management, passwords, data destruction, physical security, and vendor risk assessment. We also conduct training and awareness exercises to mitigate employee-related cyber risks. In addition to these elements of the Cybersecurity Program aimed at mitigating risk, the Company has developed an Incident Management procedure that addresses escalation and reporting of security incidents in the event that they do occur and has conducted various cross-functional table top exercises to develop and refine a coordinated response plan. The Company also maintains insurance coverage that, subject to its terms and conditions, is intended to address costs associated with certain aspects of cyber-related incidents. These processes are intended to identify and remediate cybersecurity incidents, and also provide the framework for our proactive identification, assessment, and management of potentially material risks from a wide range of cybersecurity threats. Risks identified through these processes are identified to and evaluated by our CISO, who periodically reports to our Board and Risk Committee as described below on any such risks determined by the Global Security team to be potentially material. Our Cybersecurity Program is periodically evaluated by internal and external experts through penetration and vulnerability testing and other exercises which help us identify and assess material risks, evaluate the effectiveness of our Security Program in mitigating and managing these risks, and improve our security measures and planning, including by comparison to other companies and to industry standards. The results of these assessments are reviewed by our CISO and other members of management and are shared with the Risk Committee of our Board of Directors (the Risk Committee ). Our Risk Committee assists our Board of Directors (the Board ) in its oversight of cybersecurity risk in accordance with its charter. The Risk Committee receives at least annually, and the Board receives periodically reports from our CISO and other members of senior management, which include updates on the Company s cyber risks and threats, its Cybersecurity Program, the status of projects to augment our information security systems, assessments of the Security Program, and the emerging threat landscape. We face a number of cybersecurity risks in connection with our business. Although we maintain and enforce our Cybersecurity Program, we may not detect or prevent all attempts to compromise our systems or otherwise cause breaches or disruptions, which could result in material impacts to our operations or financial condition. As of the date of the filing of this Annual Report on Form 10-K, we are not aware of any material impact to our results of operations or financial conditions resulting from cyberattacks or other information security breaches. For more information about the cybersecurity risks we face, see the risk factor entitled We could be the target of a significant cyber-attack, threat or incident that impairs internal systems, results in adverse consequences to information our system process, store or transmit or causes reputation or monetary damages as a consequence in Item 1A- Risk Factors. 42

Company Information