MORGAN STANLEY 10-K Cybersecurity GRC - 2025-02-21

Page last updated on July 28, 2025

MORGAN STANLEY reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:25:14 EST.

Filings

10-K filed on 2025-02-21

MORGAN STANLEY filed a 10-K at 2025-02-21 16:25:14 EST
Accession Number: 0000895421-25-000304

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Risk Management and Strategy

We, our businesses, and the broader financial services industry face an increasingly complex and evolving threat environment. We have made and continue to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead our Cybersecurity and Information Security organizations and program under the oversight of the Board and the BOTC.

As part of the ERM framework, we have implemented and maintain a program to assess, identify and manage risks arising from cybersecurity threats. Our Cybersecurity Program helps protect our clients, customers, employees, property, products, services and reputation by preserving the confidentiality, integrity and availability of information, enabling secure financial services, and ensuring the safe operation of our technology systems. The program is continuously updated to reflect the evolving threat landscape and regulatory expectations.
Processes for Managing Cybersecurity Risk

Our Cybersecurity Program incorporates industry best practices and addresses internal and third-party cybersecurity threats. It is periodically benchmarked against the Cyber Risk Institute Cyber Profile and the NIST Cybersecurity Framework, as well as global cybersecurity regulations.

The program includes policies, procedures, and technologies that cover access control, data security, threat detection, incident response, recovery planning, and more. Threat intelligence is collected through public-private partnerships and informs both defensive strategies and internal testing efforts. Vulnerability management, penetration testing, and red team engagements are used to assess effectiveness.

We maintain a third-party risk management program that evaluates vendors’ cybersecurity capabilities before and during engagements. Vendors must meet our cybersecurity standards or undergo review and escalation. Cybersecurity incidents are addressed through an incident response plan, including reporting to regulators and clients when warranted. Tabletop exercises help test our response procedures.
Assurance and Oversight

Our Internal Audit Division (IAD) and external third parties perform regular reviews and testing of the Cybersecurity Program. Results and recommendations are reported to the Board Operational and Technology Committee (BOTC). Regulatory bodies also routinely examine our program.
Governance – Management’s Role

The Cybersecurity Program is operated by the Chief Information Officer (CIO), Chief Information Security Officer (CISO), and the Head of Cyber, Technology, and Information Security Non-Financial Risk (Head of NFR CTIS). These individuals collectively bring over 75 years of experience in IT, security, and government intelligence.

Risk governance committees review and escalate significant threats to senior management and the Board. Program metrics, incidents, and risk remediation updates are presented to the Firm Risk Committee (FRC), BOTC, and the full Board. Cybersecurity risk levels are also reviewed by management-level risk committees.
Governance – Board Oversight

The BOTC is responsible for the Board’s oversight of cybersecurity and other operational risks. The committee receives quarterly updates from Technology, Operations, and NFR. It also receives annual reports in compliance with the Gramm-Leach-Bliley Act. All Board members are invited to BOTC meetings and receive cybersecurity updates.

The BOTC approves cybersecurity policies, receives third-party assessments, and conducts joint meetings with the BAC and BRC when needed. The BOTC chair meets regularly with senior management to discuss cybersecurity developments and reports key issues to the full Board.

Company Information