B. Riley Financial, Inc. 10-K Cybersecurity GRC - 2024-04-23

Page last updated on April 24, 2024

B. Riley Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-23 21:50:55 EDT.

Company Summary

B. Riley Financial is a diversified provider of financial and business advisory services. Crunchbase

Filings

10-K filed on 2024-04-23

B. Riley Financial, Inc. filed an 10-K at 2024-04-23 21:50:55 EDT
Accession Number: 0001628280-24-017512

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We have processes in place for assessing, identifying, and managing material risks from potential unauthorized occurrences on or through our electronic information systems that could adversely affect the confidentiality, integrity, or availability of our information systems or the information residing on those systems. These processes include internal and external vulnerability management systems, security grading systems, scanning systems, firewalls and breach alert systems, among others. Such systems and processes are designed to prevent, detect, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data. The data include confidential, proprietary, and business and personal information that we collect, process, store, and transmit as part of our business, including on behalf of third parties. As part of our risk management process, we conduct monthly vulnerability scans, annual penetration testing, phishing tests, annual risk assessments, and ad-hoc application security assessments. We also maintain a variety of playbooks for our incident response plan that are utilized when incidents are detected. We require employees with access to information systems, including all corporate employees, to undertake data protection and cybersecurity and compliance training at least annually. In addition, we engage certain third-party security providers to assist with assessing, identifying, and managing cybersecurity risks. Such services include but are not limited to managed security providers, assessors, consultants, auditors, and penetration testers. We also use a third party vendor management software to assess the security posture of other material third party vendors to reduce the impact of a security incident from such vendors. As discussed below, we rely on notifications from third-parties and other external alert systems to identify material risks that may exist with such parties. Our cybersecurity team is led by our chief information security officer, who is responsible for implementing and maintaining cybersecurity and data protection practices at the Company in close coordination with senior management and other teams across the Company. The chief information security officer provides regular updates to the Cybersecurity Committee (discussed further below) of which he is also a member. Our chief information security officer has extensive cybersecurity knowledge and skills gained from over 19 years of experience at the Company as chief information security officer and chief information officer where he has been responsible for implementing and maintaining cybersecurity and data protection practices, implementing complex technology solutions, and managing large groups of technology professionals. He holds multiple cybersecurity industry focused certifications and reports directly to the Co-Chief Executive Officer. Cybersecurity incidents come to the attention of the Company from the cybersecurity team which may be notified of such incidents from internal vulnerability monitoring systems, third-party vendors, government or industry alerts, media broadcasts, or employee self-reporting. Risk assessment and mitigation efforts related to cybersecurity incidents are subject to oversight by the Cybersecurity Committee, which monitors the prevention, detection, and remediation of such incidents. The Cybersecurity Committee, which is comprised of directors from different divisions within the Company, as well as members of the cybersecurity team and the chief information security officer, oversees Company policies and procedures for protecting cybersecurity infrastructure and for compliance with applicable data protection and security regulations, and related risks. The Cybersecurity Committee meets at least quarterly or whenever a material cybersecurity incident is identified at the Company. Material cybersecurity incidents, as well as mitigation efforts related to such incidents, are promptly reported to senior management. Our cybersecurity risks and associated mitigation efforts are continuously monitored and evaluated by senior management as part of the Company s overall risk management process. In addition, a report prepared by the chief information security officer outlining any material cyber risks as well as any mitigation efforts is presented by the chief information security officer to the Audit Committee of our Board of Directors on a quarterly basis as part of the Company s enterprise risk assessment. 47 Table of Contents On April 5, 2024, Targus discovered that a threat actor gained unauthorized access to certain of Targus file systems. Upon discovery and with assistance from external cybersecurity counsel and consultants, Targus immediately activated its incident response and business continuity protocols to investigate, contain, and remediate the incident. Through this process, proactive containment measures to disrupt unauthorized access resulted in a temporary interruption in the business operations of the Targus network. The incident has been contained and Targus systems recovery efforts are in process. While the investigation is ongoing and the incident has temporarily disrupted Targus business operations, as of the date of this filing, the Company does not currently believe that this incident will materially impact the Company s financial condition or results of operations taken as a whole. Business operations for each of the Company s other subsidiaries have continued without disruption in all material respects, and no other Company business has been affected. Targus systems are not shared with or connected to the systems of other Company businesses and no other Company business has been affected. Targus has notified relevant regulatory authorities and will work with law enforcement with respect to the unauthorized access to information. The Company is not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, Risk Factors, under the heading Risks Related to Data Security and Intellectual Property, which should be read in conjunction with the information above.

Company Information