Marcus & Millichap, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Marcus & Millichap, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:26:50 EST.

Filings

10-K filed on 2024-02-27

Marcus & Millichap, Inc. filed an 10-K at 2024-02-27 16:26:50 EST
Accession Number: 0001578732-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate disclosure personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others: periodic comparison of our processes to standards set by the National Institute of Standards and Technology; closely monitor emerging data protection laws and implement changes to our processes designed to comply; undertake an annual review of our consumer-facing policies and statements related to cybersecurity; conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; conduct annual cybersecurity training for all employees and contractors, along with targeted training on a quarterly basis for specific subsets of employees identified through our phishing simulations; 31 Table of Contents through policy, practice and contract (as applicable) require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care; conduct regular network and endpoint monitoring and vulnerability assessments to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K; carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident; conduct vulnerability scans and leverage the scan results to continuously patch and manage our network as new threats emerge; and active monitoring by our contracted 24x7 Security Operations Center. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of higher severity cybersecurity incidents provided to our management team. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response processes define the steps to disclose such a material cybersecurity incident. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly conducting technical and data reviews with our cybersecurity partners to help identify areas for continued focus, improvement and/or compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Technology and Cybersecurity Risks , which disclosure is incorporated by reference herein. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee generally receives materials indicating current and emerging material cybersecurity threat risks, and describing the company s ability to mitigate those risks, and discusses such matters with our Chief Information Officer. Members of the audit committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer. This individual has over 30 years of work experience in various technology roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity 32 Table of Contents programs. This experience has included positions at large public companies. Our CIO also holds a degree in electrical engineering. The firm s senior executive team, inclusive of the CEO, CFO, COOs, CAO and Legal, are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the audit committee about cybersecurity threat risks, among other cybersecurity related matters.

Company Information