GLOBAL MACRO TRUST 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

GLOBAL MACRO TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 17:13:52 EDT.

Filings

10-K filed on 2024-03-29

GLOBAL MACRO TRUST filed an 10-K at 2024-03-29 17:13:52 EDT
Accession Number: 0001145765-24-000002

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity 4 The Managing Owner has written procedures and policies that govern the Trust s general cybersecurity program. These policies and procedures include, among other things, the identification of risks, locations of information, management of third party risk and incident response, among other factors, and are designed to address real world concerns. The Cybersecurity Committee (the Committee ) of the Managing Owner is responsible for overseeing cyber and information security. The Committee meets at least quarterly to discuss cybersecurity risks and frequently holds more informal discussions in the interim. The Committee is subject to oversight by the board of directors of the Managing Owner (the Board ). The Committee is co-chaired by the Managing Owner s President/Chief Operating Officer, Chief Technology Officer/Co-Head of Trading, and General Counsel/Chief Compliance Officer who oversee day-to-day implementation of cyber and information security by employees with specialized expertise and experience in such matters. The Board is kept apprised of the cybersecurity policies and procedures on a formal basis at least annually, and is kept informed on a less formal basis through participation in training and policy updates. The Committee meets at least quarterly to discuss and review testing, cybersecurity risks/events and all other relevant matters. Committee members are given the opportunity at these meetings to ask questions of all relevant personnel. The Managing Owner utilizes a combination of statistics, data and testing by third party service providers and software in order to monitor and identify cybersecurity threats. To the extent those threats require immediate attention, they are dealt with and reported to the Committee thereafter in accordance with the procedures outlined in the Managing Owner s incident response plan. Other threats, as well as follow ups once threats are properly dealt with, are then discussed and analyzed by the Committee. Reports on these activities are discussed with the Board on at least an annual basis, with any material issues raised promptly to the Board as well. To assess the effectiveness of the Managing Owner s cybersecurity programs and to mitigate exposure, the Managing Owner has consulted with strategic partners, such as outside counsel specializing in this subject matter as well as the Managing Owner s cyber insurance provider. The Managing Owner also undertook a table top exercise designed to identify and mitigate issues and train personnel. The Managing Owner s head of risk management (who is also mentioned above as one of the co-chairmen of the Committee) participates in all Committee meetings and, as part of the risk management function, the Committee applies principles of risk management to its information security program. As with all risks identified by the Managing Owner, risks are identified and evaluated, with higher risk items receiving priority attention. The Managing Owner has undertaken efforts to mitigate cyber risks and their impact, including, but not limited to, certain implementation of firewalls, anti-virus/anti-malware, controls around remote network access, multi-factor authentication, system event monitoring and notifications and electronic surveillance, frequent backups, encryption and password protection, education and testing, supervision of third parties, limitations on access, vulnerability scanning, patch installation, physical safeguards, virus scanning, and penetration testing. Employees are required to complete initial cybersecurity training upon commencement of employment and, thereafter, on an annual basis. The training is designed by a third party service provider. The Managing Owner carries cyber insurance. The Managing Owner maintains formal cybersecurity procedures that are considered during contract review with respect to third party vendors handling and having access to information. The Managing Owner has not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Managing Owner or the Trust s business strategy, results of operation or financial condition. Nonetheless, there is no guarantee that a future cyber incident would not materially affect the Managing Owner or the Trust s business strategy, results of operations or financial condition. Despite the various efforts the Managing Owner has undertaken to mitigate cyber risks and their impact, systems, networks and/or devices potentially can be breached. Such cybersecurity breaches may cause: (i) disruptions and impacts to business operations, potentially resulting in financial losses to the Trust and Unitholders (ii) interference with the Managing Owner s ability to calculate the value of an investment (iii) impediments to trading (iv) the inability of the Trust and its service providers to transact business (v) violations of applicable privacy and other laws (vi) regulatory fines, penalties, reputational damage, reimbursement or other compensation costs or additional compliance costs and (vii) the inadvertent release of confidential information. Similar adverse consequences could result from cybersecurity breaches affecting counterparties with which the Trust engages in transactions governmental and other regulatory authorities exchange and other financial market operators, banks, brokers, dealers, insurance companies and other financial institutions and other parties. In addition, substantial costs may be incurred by these entities in order to prevent any cybersecurity breaches in the future. The nature of malicious cyber-attacks is becoming increasingly sophisticated and the Trust cannot control the cyber systems and cybersecurity systems of counterparties or third party service providers. While, to date, we have not been subject to cyberattacks that, individually or in the aggregate, have been material to our operations or financial condition, the preventive actions we take to reduce the risks associated with cyberattacks may be insufficient to repel or mitigate the effects of a major cyberattack in the future.

Company Information