Goldman Sachs Physical Gold ETF 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Goldman Sachs Physical Gold ETF reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 17:12:12 EST.

Filings

10-K filed on 2024-03-07

Goldman Sachs Physical Gold ETF filed an 10-K at 2024-03-07 17:12:12 EST
Accession Number: 0001193125-24-062325

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cyber Risk Management and Strategy As a part of the overall risk management system for the Trust, processes are in place to assess, identify and manage material risks from cybersecurity threats. The Trust does not have any directors, officers, or employees. The Sponsor, an indirect, wholly owned subsidiary of The Goldman Sachs Group, Inc. ( Goldman Sachs) and an affiliate of Goldman Sachs & Co. LLC, generally oversees the performance of the Trustee and the Trust s principal service providers. The Trustee in turn is generally responsible for the day-to-day administration of the Trust. The Sponsor and the Trust rely on Goldman Sachs cybersecurity policy, which also applies to the Trust. The Sponsor and the Trust also rely on the systems of GS Group Inc., its third-party service providers, and the Trust s service providers. Goldman Sachs cybersecurity risk management processes are integrated into its overall risk management processes. Goldman Sachs has established an Information Security and Cybersecurity Program (the Cybersecurity Program ), administered by Technology Risk within Engineering, and overseen by Goldman Sachs chief information officer. This program is designed to identify, assess, document, and mitigate threats, establish, and evaluate compliance with information security mandates, adopt and apply the security control framework, and prevent, detect, and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer of Goldman Sachs, provides oversight of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and risk appetite-approved operational risk limits and thresholds. 40 Table of Contents Goldman Sachs process for managing cybersecurity risk includes the critical components of its risk management framework, as well as the following: Training and education, to enable Goldman Sachs people to recognize information and cybersecurity concerns and respond accordingly; Identity and access management, including entitlement management and production access; Application and software security, including software change management, open source software, and backup and restoration; Infrastructure security, including monitoring Goldman Sachs network for known vulnerabilities and signs of unauthorized attempts to access the firm s data and systems; Mobile security, including mobile applications; Data security, including cryptography and encryption, database security, data erasure and media disposal; Cloud computing, including governance and security of cloud applications, and software-as-a-service data; Onboarding; Technology operations, including change management, incident management, capacity and resilience; and Third-party risk management, including vendor management and governance, and cybersecurity and business resiliency on vendor assessments. In conjunction with third-party vendors and consultants, Goldman Sachs performs risk assessments to gauge the performance of the Cybersecurity Program, to estimate its risk profile and to assess compliance with relevant regulatory requirements. Goldman Sachs performs periodic assessments of control efficacy through its internal risk and control self-assessment process, as well as a variety of external technical assessments, including external penetration tests and red team engagements where third parties test its defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. Goldman Sachs uses third parties, such as outside forensics firms, to augment its cyber incident response capabilities. Goldman Sachs and its third-party service providers have a vendor management program that documents a risk-based framework for managing third-party vendor relationships (including those of the Trust). Information security risk management is built into the vendor management process, which covers vendor selection, onboarding, performance monitoring and risk management. Cyber Risk Governance GS Group Inc. s board of directors (the GS Board ) provides strategic oversight on cybersecurity matters generally, including oversight of material risks associated with cybersecurity threats. The GS Board, both directly and through its committees, including its Risk and Audit Committees, receives periodic reports and updates from an officer of Goldman Sachs regarding the overall state of the cybersecurity program, the current cybersecurity threat landscape, material risks from cybersecurity threats, cybersecurity incidents, risk management policies and/or risk assessment initiatives. The chief risk officer, chief information officer and chief technology officer of Goldman Sachs among others, periodically brief the GS Board on operational and technology risks, including cybersecurity risks. The GS Board also receives regular briefings from the chief information security officer of Goldman Sachs ( CISO ) on a range of cybersecurity-related topics, including the status of the Cybersecurity Program, emerging cybersecurity threats, mitigation strategies and related regulatory engagements. In addition, these are topics on which various directors maintain an ongoing dialogue with the CISO, chief information officer, and chief technology officer. 41 Table of Contents The CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to the chief information officer. The CISO oversees the Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response. Goldman Sachs has a series of committees that oversee the implementation of the cybersecurity risk management strategy and framework. These committees are informed about cybersecurity incidents and risks by designated members of Technology Risk and Operational Risk teams, who periodically report to these committees about the Cybersecurity Program, including the efforts of the Technology Risk and Operational Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees enable formal escalation and reporting of risks, and the CISO and other members of Technology Risk provide regular briefings to these committees. The following are the primary committees and steering groups that oversee Goldman Sachs Cybersecurity Program: The Firmwide Operational Risk and Resilience Committee is responsible for overseeing operational risk and seeks to ensure business and operational resilience. The Firmwide Technology Risk Committee reviews matters related to the design, development, deployment and use of technology. This committee oversees cybersecurity matters, as well as technology risk management frameworks and methodologies, and monitors their effectiveness. This committee is chaired by the chief technology officer and reports to the Firmwide Operational Risk and Resilience Committee. The Engineering Risk Steering Group oversees Engineering risk decisions, monitors control performance and reviews approaches to comply with current and emerging regulation applicable to Engineering. This committee is chaired by the CISO (who also serves on the Firmwide Technology Risk Committee) and reports to the Firmwide Technology Risk Committee. Assessment of Cybersecurity Risk The potential impact of risks from cybersecurity threats are assessed on an ongoing basis, and how such risks could materially affect the Trust s business strategy, operational results, and financial condition are regularly evaluated. During the reporting period, the Trust did not identify any risks from cybersecurity threats, including previous cybersecurity incidents, that the Trust believes materially affected, or are reasonably likely to materially affect, the Trust, including its business strategy, operational results, and financial condition.

Company Information