Victory Capital Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Victory Capital Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 13:37:19 EST.

Filings

10-K filed on 2024-02-29

Victory Capital Holdings, Inc. filed an 10-K at 2024-02-29 13:37:19 EST
Accession Number: 0000950170-24-022869

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Our Information Security Committee (the ISC ) oversees and implements a cybersecurity program that seeks to assess, identify and protect against cyber security threats and detect, respond, and recover from cyber security incidents. The program is modeled upon the National Institute of Standards and Technology Cybersecurity Framework, a well-established and widely adopted framework in the financial services industry. The ISC is chaired by our Chief Information Security Officer ( CISO ) and membership includes executive and management level representation from our technology, legal, and compliance departments. Our cybersecurity program assesses our cybersecurity risk profile through inventories of physical devices, software, and information systems, evaluations of critical third-party systems, and a catalogue of security risks. Periodic assessments are conducted to ensure the risk catalog is up to date. We protect our information systems, data, and network through technical and procedural controls and security awareness training. We deploy multiple technical controls to achieve a layered security strategy including systems access controls, firewalls, web application gateways, antivirus software, e-mail filtering, and endpoint protection. Security awareness training is mandatory for all employees and conducted at hire and periodically on topics such as phishing, ransomware, social engineering, public Wi-Fi risks, password security, and mobile device security. Training is supplemented by testing initiatives, including periodic phishing tests, which may result in targeted or remedial training. We use a third-party security operations center and endpoint management and response service to continuously monitor information systems for emergent events including anomalous, suspicious, and unauthorized network activity. Detected events are immediately triaged and evaluated for threat potential and impact. We also engage third-party providers to perform penetration testing designed to identify vulnerabilities for remediation. We rotate penetration testing providers to diversify testing approaches. At this time, we are not aware of any risks from cybersecurity threats, including as a result of any previous cyber security incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our efforts to prevent and detect cybersecurity threats and incidents, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. Refer to Item 1A. Risk factors in this annual report on Form 10-K for additional discussion about cybersecurity-related risks. Governance Role of the Board of Directors and Management The Audit Committee of the Board of Directors oversees our enterprise risk management, which includes cybersecurity. The Chair of the ISC reports on our cybersecurity program to our Board at least annually. Our CISO and Chief Technology Officer ( CTO ) oversee our day-to-day technology and security activities. Our CISO has been with the firm since 2013 and has over 20 years of IT experience in various industries. He is a Certified Chief Information Security Officer from the Carnegie Mellon University executive education program, as well as a Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP). Our CTO joined the firm in 2020 with 25 years of IT experience, including 12 years of executive level technology experience in the asset management industry. 46 Table of Contents The CISO serves as the Chair of the ISC which serves as the steering committee for aligning our overall security strategy with business objectives and is responsible for overseeing the cataloguing of cybersecurity risks and assessments described above. These risks are carried through to our management-level Enterprise Risk Committee which maintains a broader inventory of risk, providing another layer of governance oversight. The third-party security operations center and endpoint managed detection and response service is overseen by the CISO. Management also maintains a Vendor Oversight Committee which provides additional governance over the risks associated with use of third-party vendors, including cybersecurity risk. The Chair of the Enterprise Risk Committee and the Vendor Oversight Committee also reports on its activities to the Audit Committee at least annually. In the event of a potential cybersecurity incident, the third-party security operations center is authorized to take preemptive action to address the incident and must promptly notify a member of the ISC. The ISC coordinates the response to and communication of an incident in accordance with our Incident Response Plan ( IRP ) and applicable law. The IRP is designed to provide guidance for effective, efficient, and orderly response to a variety of cybersecurity incidents. The ISC is responsible for communication escalation as necessary up to and including to the Board of Directors.

Company Information