STIFEL FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

STIFEL FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:01:53 EST.

Filings

10-K filed on 2025-02-26

STIFEL FINANCIAL CORP filed a 10-K at 2025-02-26 16:01:53 EST
Accession Number: 0000950170-25-027702

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain an information security program and governance framework that are designed to protect our information systems against risks related to cybersecurity. Cybersecurity Risk Management and Strategy We define information security and cybersecurity risk as the risk that the confidentiality, integrity, or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification, or destruction. Information security and cybersecurity risk are incorporated into our comprehensive Enterprise Risk Management (“ERM”) program, which we use to identify, aggregate, monitor, report, and manage risks. The Written Information Security Program (“WISP”), our enterprise information security and cybersecurity program, is incorporated within the ERM program and led by our Chief Information Security Officer (“CISO”). The WISP is designed to (i) ensure the security, confidentiality, integrity, and availability of our information systems and data; (ii) protect against any anticipated threats or hazards to the confidentiality, integrity, or availability of such information and information systems; and (iii) protect against unauthorized access to information or information systems that could result in substantial harm or inconvenience to us, our associates, or our clients. The WISP is built upon a foundation of advanced security technology, a well-trained team of experts, and is designed to operate in alignment with applicable regulatory requirements. WISP deploys multiple layers of controls to identify, protect, detect, respond to, and recover from information security and cybersecurity incidents. These controls are measured and monitored by subject matter experts and a security operations center with integrated cyber detection, response, and recovery capabilities. The WISP includes our Incident Response program, which manages information security incidents involving compromises of sensitive information, and our Security Incident Response Plan (“SIRP”), which provides a documented framework for handling high severity cybersecurity incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills around security matters at both a technical and management level, and our associates receive annual cybersecurity awareness training. The WISP incorporates reviews by our Internal Audit department and external third-party experts. Periodic independent third-party maturity assessments are conducted against the NIST Cyber Security Framework. Investments in threat intelligence, collaboration with peers, vulnerability management, incident response drills, and participation in industry and government forums are also part of our program. Cybersecurity risks related to third parties are managed as part of our System and Services Acquisition Policy, which sets forth the procurement, risk management, and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring, and termination. Our program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit, or destroy our information or have access to our systems may have additional security requirements, depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls. We also conduct reassessments of our third-party risk, using a risk-based approach to determine frequency. Where appropriate, the Company seeks to incorporate contractual language with third-party service providers that address the collection, use, sharing, and retention of user data, as well as compliance with appropriate security terms. While we do not believe that our business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and, similar to other global financial services firms, we, as well as our clients, associates, regulators, service providers, and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. See Item 1A - Risk Factors" of this Form 10-K for additional information on cybersecurity risks. Cybersecurity Governance Under our information security framework, our Board and our Risk Management Committee are primarily responsible for overseeing and governing the development, implementation, and maintenance of our WISP, with the Board designating our Risk Management Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity 24 at least twice a year from our CISO or their designee . Our Risk Management Committee receives reports on cybersecurity at least four times a year, with ad hoc updates as needed. In addition, our Risk Management Committee annually approves our WISP program. Our Operational Risk Committee (“ORC”) provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor, and report information security risks associated with our information and information systems. The ORC escalates risks to the Risk Management Committee or our Board based on the escalation criteria provided in our information security framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Management Committee and the ORC. Our CISO leads the strategy, engineering, and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board and the ORC on our WISP, as well as ad hoc updates on information security and cybersecurity matters. Our CISO reports directly to the Risk Management Committee. The CISO has been with the Company since 2023 and has over 28 years of information technology and cybersecurity experience.

Company Information