DIAMOND HILL INVESTMENT GROUP INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

DIAMOND HILL INVESTMENT GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:24:02 EST.

Filings

10-K filed on 2025-02-26

DIAMOND HILL INVESTMENT GROUP INC filed a 10-K at 2025-02-26 16:24:02 EST
Accession Number: 0000909108-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity The Company is subject to several material risks related to cybersecurity threats. A cybersecurity attack could prevent the Company from managing client portfolios, cause the unauthorized disclosure of sensitive or confidential client or employee information, and/or result in misappropriation of information or funds, which individually or collectively could severely harm its business. In 2024, the Company did not identify any cybersecurity risks that have materially affected or are reasonably likely to materially affect its business strategy, results of operations, or financial condition. However, despite its efforts, the Company cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that it has not experienced an undetected cybersecurity incident. For more information about these risks, please see Item 1A. The Company has an Information Security Committee (the “Committee”) to identify, assess, and manage cybersecurity risks and to implement necessary policies and procedures to mitigate those risks. The Committee also coordinates employee education efforts throughout the year. The Technology Risk & Information Security Officer serves as the Committee chair and the day-to-day manager of the Company’s information security management systems. The Committee is comprised of members having expertise in information technology infrastructure, data security, risk management, compliance, legal, and business continuity and recovery efforts. The Committee identifies and assesses risks by understanding and evaluating the Company’s systems, processes, data, and controls. This information is then augmented through participation by certain Committee members in industry threat intelligence groups designed to share best practices and emerging threats related to cybersecurity. The Committee also completes a full cybersecurity risk assessment annually, which drives the implementation of policies and procedures as well as the scope of third-party testing. The Committee has implemented an information security program that includes a comprehensive set of cybersecurity policies and procedures that follows standards established by the International Organization for Standardization (“ISO 27001”). The policies and procedures within the program, among other things, are to oversee, identify, and mitigate the Company’s cybersecurity risks as well as cybersecurity risks to the Company associated with its significant service providers and vendors. The Company’s cybersecurity policies and procedures have been independently certified by a third party as compliant with the ISO 27001 standard. The Committee engages third-party experts to perform penetration tests on a periodic basis and to assess whether these policies and procedures are designed appropriately and operating effectively. Cybersecurity oversight forms part of the Board ’s risk oversight of the Company. The Board oversees efforts by management to manage the cybersecurity risks to which the Company may be exposed. The Board receives quarterly reports and meets periodically with the Committee chair. From its review of these reports and discussions with management and the Committee chair, the Board ensures it has sufficient awareness of the material cybersecurity risks to which the Company is exposed, enabling a dialogue about how management manages and mitigates those risks. The Board currently has four members who have obtained certifications in cybersecurity oversight.

Company Information