MORGAN STANLEY 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 22, 2024

MORGAN STANLEY reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:08:52 EST.

Filings

10-K filed on 2024-02-22

MORGAN STANLEY filed an 10-K at 2024-02-22 16:08:52 EST
Accession Number: 0000895421-24-000300

Item 1C. Cybersecurity.

Risk management and strategy

We, our businesses, and the broader financial services industry face an increasingly complex and evolving threat environment. We have made and continue to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead our Cybersecurity and Information Security organizations and program under the oversight of our Board of Directors (“Board”) and the Operations and Technology Committee of the Board (“BOTC”). See “Risk Factors-Operational Risk” for information on risks to the Firm from cybersecurity threats.

As part of our enterprise risk management (“ERM”) framework, we have implemented and maintain a program to assess, identify and manage risks arising from the cybersecurity threats confronting the Firm (“Cybersecurity Program”). Our Cybersecurity Program helps protect our clients, customers, employees, property, products, services and reputation by seeking to preserve the confidentiality, integrity and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of our technology systems. We continually adjust our Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations.

Processes for assessing, identifying and managing material risks from cybersecurity threats

Our Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to our network, infrastructure, computing environment and the third parties that we rely on. We periodically assess the design of our cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, as well as global cybersecurity regulations, and develop improvements to those controls in response to that assessment. Our Cybersecurity Program also includes cybersecurity and information security policies, procedures and technologies that are designed to address regulatory requirements and protect our clients’, employees’ and own data against unauthorized disclosure, modification and misuse. These policies, procedures and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning.

Our threat intelligence function within the Cybersecurity Program actively engages in private and public information sharing communities and leverages both commercial and proprietary products to collect a wide variety of industry and governmental information regarding the latest cybersecurity threats, which informs our cybersecurity risk assessments and strategy. This information is also provided to an internal forensics team, which develops and implements technologies designed to help detect these cybersecurity threats across our environment. Where a potential threat is identified in our environment, our incident response team evaluates the potential impact to the Firm and coordinates remediation where required. These groups, as well as the Operational Risk Department, review external cybersecurity incidents that may be relevant to the Firm, and the outcomes of these incidents further inform the design of our Cybersecurity Program. In addition, we maintain a robust global training program on cybersecurity risks and requirements and conduct regular phishing email simulations for our employees and consultants.

Our processes are designed to help oversee, identify and mitigate cybersecurity risks associated with our use of third-party vendors. We maintain a third-party risk management program that includes evaluation of, and response to, cybersecurity risks at our third-party vendors. Prior to engaging third-party vendors to provide services to the Firm, we conduct assessments of the third-party vendors’ cybersecurity programs to identify the impact of their services on the cybersecurity risks to the Firm. Once on-boarded, third-party vendors’ cybersecurity programs are subject to risk-based oversight, which may include security questionnaires, submission of independent security audit reports or a Firm audit of the third-party vendor’s security program, and, with limited exceptions, third-party vendors are required to meet our cybersecurity standards. Where a third-party vendor cannot meet those standards, its services, and the residual risk to the Firm, are subject to review, challenge and escalation through our risk management processes and ERM committees, which may ultimately result in requesting increased security measures or ceasing engagement with such third-party vendor.

Our Cybersecurity Program is regularly assessed by the Internal Audit Department (“IAD”) through various assurance activities, with the results reported to the Audit Committee of the Board (“BAC”) and the BOTC. Annually, certain elements of the Cybersecurity Program are subject to an audit by an independent consultant, as well as an assessment by a separate, independent third party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the BOTC. Our Cybersecurity Program is also examined regularly by the Firm’s prudential and conduct regulators within the scope of their jurisdiction.

Governance

Management’s role in assessing and managing material risks from cybersecurity threats

Our Cybersecurity Program is operated and maintained by management, including the Chief Information Officer of Cyber, Data, Risk and Resilience (“CIO”) and the Chief Information Security Officer (“CISO”). These senior officers are responsible for assessing and managing the Firm’s cybersecurity risks. Our Cybersecurity Program strategy, which is set by the CISO and overseen by the Head of Operational Risk, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. Our Cybersecurity Program also includes processes for escalating and considering the materiality of incidents that impact the Firm, including escalation to senior management and the Board, which are periodically tested through tabletop exercises.

The members of management that lead our Cybersecurity Program and strategy have extensive experience in technology, cybersecurity and information security. The CIO has over 30 years of experience in various engineering, IT, operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management and information security. The Head of Operational Risk has over 20 years of experience in technology, security and compliance roles, including experience in government security agencies.

Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees. These committees include representatives from Firm management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to our policies and procedures. Significant cybersecurity risks are escalated from these committees to our Non-Financial Risk Committee. The CIO and the Head of Operational Risk report on the status of our Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to the Firm Risk Committee, the BOTC and the Board, as appropriate. For more information regarding the Firm’s ERM framework, see “Quantitative and Qualitative Disclosures about Risk-Risk Management.”

Board of Directors’ oversight of risks from cybersecurity threats

As discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.

In accordance with its charter, the BOTC receives quarterly reports from (i) the Technology Department (“Technology”), including the CIO or the CISO; (ii) the Operations Department (“Operations”); and (iii) the Non-Financial Risk Management Department (“NFR”). Such reporting includes updates on our Cybersecurity Program, risks from cybersecurity threats, our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and the Operational Risk Department’s assessment of cybersecurity risks. Senior officers in Technology and NFR also provide an annual report to the BOTC on the status of our Cybersecurity Program, including a discussion of risks arising from cybersecurity threats, in compliance with the Gramm-Leach-Bliley Act. At least annually, these senior management representatives discuss the status of the Cybersecurity Program and key cybersecurity risks with the Board. The BOTC also receives an annual independent assessment of key aspects of our Cybersecurity Program from an external party and holds joint meetings with the BAC and Risk Committee of the Board (“BRC”), as necessary and appropriate. In addition, members of the BOTC periodically participate in incident response tabletop exercises and the BOTC periodically receives reports from incident response tabletop exercises performed by and for management.

At least annually, the BOTC or the Board reviews and approves the Global Cybersecurity Program Policy, the Global Information Security Program Policy, the Global Third-Party Risk Management Policy, and the Global Technology Policy. The chair of the BOTC regularly reports to the Board on risks from cybersecurity threats and other matters reviewed by the BOTC. In accordance with the Board’s Corporate Governance Policies, all Board members are invited to attend BOTC meetings and have access to meeting materials.

Senior management, including the senior officers mentioned above, discuss cybersecurity developments with the chair of the BOTC between Board and committee meetings, as necessary. The BOTC meets regularly in executive session with management, including the Head of NFR, and senior officers from Technology and Operations.

Company Information