Ceres Classic L.P. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on July 16, 2024

Ceres Classic L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 10:16:26 EDT.


10-K filed on 2024-03-22

Ceres Classic L.P. filed a 10-K at 2024-03-22 10:16:26 EDT
Accession Number: 0001193125-24-074760

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber Security . Risk management and strategy The Partnership has no directors or executive officers and its affairs are managed by its General Partner. The General Partner is a wholly-owned subsidiary of MSCM. MSCM is ultimately owned by Morgan Stanley. Morgan Stanley, its businesses, the General Partner, the Partnership, and the broader financial services industry face an increasingly complex and evolving threat environment. Morgan Stanley has made and continues to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead its Cybersecurity and Information Security organizations and program under the oversight of the Morgan Stanley Board of Directors (the “Board”) and the Operations and Technology Committee of the Board (the “BOTC”). See “Risk Factors - The General Partner, the Partnership, the Funds and their respective service providers (including the Advisors) and operations are potentially vulnerable to cyber-security attacks or incidents” for information on risks to the Partnership from cybersecurity threats. As part of its enterprise risk management (“ERM”) framework, Morgan Stanley has implemented and maintains a program to assess, identify and manage risks arising from the cybersecurity threats (the “Cybersecurity Program”). The Cybersecurity Program has been adopted by the General Partner, and applies to its business, as relevant. The Cybersecurity Program helps protect Morgan Stanley’s clients, customers, employees, property, products, services and reputation by seeking to preserve the confidentiality, integrity and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of Morgan Stanley’s technology systems. Morgan Stanley continually adjusts the Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations. Processes for assessing, identifying and managing material risks from cybersecurity threats The Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to Morgan Stanley’s network, infrastructure, computing environment and the third parties that Morgan Stanley, and its affiliates rely on. Morgan Stanley periodically assesses the design of its cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, as well as global cybersecurity regulations, and develops improvements to those controls in response to that assessment. The Cybersecurity Program also includes cybersecurity and information security policies, procedures and technologies that are designed to address regulatory requirements and to protect clients’, employees’ and Morgan Stanley’s own data against unauthorized disclosure, modification and misuse. These policies, procedures and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. 16 The threat intelligence function within the Cybersecurity Program actively engages in private and public information sharing communities and leverages both commercial and proprietary products to collect a wide variety of industry and governmental information regarding the latest cybersecurity threats, which informs the cybersecurity risk assessments and strategy. This information is also provided to an internal forensics team, which develops and implements technologies designed to help detect these cybersecurity threats. Where a potential threat is identified, an incident response team evaluates the potential impact, and coordinates remediation where required. These groups, as well as Morgan Stanley’s Operational Risk Department (the “Operational Risk Department”), review external cybersecurity incidents that may be relevant to Morgan Stanley and its affiliates, and the outcomes of these incidents further inform the design of the Cybersecurity Program. In addition, Morgan Stanley maintains a robust global training program on cybersecurity risks and requirements and conducts regular phishing email simulations for its employees and consultants. The cybersecurity processes are designed to help oversee, identify and mitigate risks associated with Morgan Stanley’s use of third-party vendors. Morgan Stanley maintains a third-party risk management program that includes evaluation of, and response to, cybersecurity risks at its third-party vendors. Prior to engaging third-party vendors to provide services, Morgan Stanley conducts assessments of the third-party vendors’ cybersecurity programs to identify the impact of their services on the cybersecurity risks to Morgan Stanley. Once on-boarded, third-party vendors’ cybersecurity programs are subject to risk-based oversight, which may include security questionnaires, submission of independent security audit reports or an audit of the third-party vendor’s security program, and, with limited exceptions, third-party vendors are required to meet Morgan Stanley’s cybersecurity standards. Where a third-party vendor cannot meet those standards, its services, and the residual risk, are subject to review, challenge and escalation through Morgan Stanley’s risk management processes and ERM committees, which may ultimately result in requesting increased security measures or ceasing engagement with such third-party vendor. The Cybersecurity Program is regularly assessed by Morgan Stanley’s Internal Audit Department (“IAD”) through various assurance activities, with the results reported to the Audit Committee of the Board (“BAC”) and the BOTC. Annually, certain elements of the Cybersecurity Program are subject to an audit by an independent consultant, as well as an assessment by a separate, independent third party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the BOTC. The Cybersecurity Program is also examined regularly by Morgan Stanley’s prudential and conduct regulators within the scope of their jurisdiction. 17 Governance Morgan Stanley Management’s role in assessing and managing material risks from cybersecurity threats The Cybersecurity Program is operated and maintained by management, including Morgan Stanley’s Chief Information Officer of Cyber, Data, Risk and Resilience (“CIO”) and Morgan Stanley’s Chief Information Security Officer (“CISO”). These senior officers are responsible for assessing and managing the Firm’s cybersecurity risks. The General Partner adheres to the Cybersecurity Program’s policies and participates in periodic testing. The Cybersecurity Program strategy, which is set by the CISO and overseen by the Head of the Operational Risk Department, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. The Cybersecurity Program also includes processes for escalating and considering the materiality of incidents that impact Morgan Stanley and its affiliates, including escalation to senior management and the Board, which are periodically tested through tabletop exercises. The members of management that lead the Cybersecurity Program and strategy have extensive experience in technology, cybersecurity and information security. The CIO has over 30 years of experience in various engineering, IT, operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management and information security. The Head of the Operational Risk Department has over 20 years of experience in technology, security and compliance roles, including experience in government security agencies. Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees. These committees include representatives from management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to its policies and procedures. Significant cybersecurity risks are escalated from these committees to Morgan Stanley’s non-financial risk committee. The CIO and the Head of the Operational Risk Department report on the status of the Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to Morgan Stanley’s non-financial risk committee, the BOTC and the Board, as appropriate.

Company Information

NameCeres Classic L.P.
SIC DescriptionCommodity Contracts Brokers & Dealers
CategoryNon-accelerated filer
Fiscal Year EndDecember 30