Freedom Holding Corp. 10-K Cybersecurity GRC - 2025-06-13

Page last updated on June 13, 2025

Freedom Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-13 16:31:08 EDT.

Filings

10-K filed on 2025-06-13

Freedom Holding Corp. filed a 10-K at 2025-06-13 16:31:08 EDT
Accession Number: 0000924805-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity is a critical component of our risk management program, given the increasing reliance on technology and potential cyber threats. Our Chief Technology Officer is leading cybersecurity risk management improvement initiatives as part of our technology strategy. Our overall cybersecurity risk management covers IT, information security and data protection risk and its objective is to avoid or minimize the impacts of threat events that could lead to penetration, disruption or misuse of our information systems and to ensure compliance with applicable legal and contractual obligations. Our cybersecurity risk management improvement initiatives are informed by regulatory guidance, industry standards (such as ISO, NIST, CIS, FAIR and others), threat intelligence feeds, internal and external audits, external consultants, and insights from cybersecurity community. Some of our subsidiaries are certified under ISO 27001, an international information security management systems standard, or undergo regular Payment Card Industry Data Security Standard (PCI) audits. Experts from our Technology Leadership Centre, under the supervision of the Chief Technology Officer, periodically review our cybersecurity risk management processes to address changing threats and conditions. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity. We employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected threats. We have established processes and systems designed to mitigate technology risk, including our corporate IT control system, to work towards a consistent minimal level of cybersecurity across all our subsidiaries. We engage in periodic or regular monitoring and assessments of our technology key infrastructure and processes using internal staff and third-party specialists utilizing methods such as penetration testing, vulnerability scanning, code, configuration reviews. risk and security assessments . We assess and manage risks, including IT and cybersecurity risks, associated with external service providers and our supply chain, utilizing methods such as security assessments, SLAs, information security and data protection contractual clauses. Our audit procedures include testing of IT and cybersecurity controls to ensure reliability. The type, maturity, and formalization of controls in our subsidiaries is informed by the level of anticipated threats and their impacts associated with each organization. We maintain an IT and cybersecurity incident management process that provides a framework for responding to actual or potential cybersecurity incidents, engagement of third parties, including external incident response professionals, and timely reporting of incidents with a material or reasonably likely material impact to our Chief Technology Officer, Chief Financial Officer, who inform other senior management members and our board of directors as appropriate. The cybersecurity incident management process facilitates coordination across multiple areas of our organization. Governance Our cybersecurity risk governance model consists of three lines of defense. Our Chief Technology Officer, supported by the experts in our Technology Leadership Centre and IT and cybersecurity teams at our subsidiaries represent the first line. Our Chief Risk Officer, supported by corporate and subsidiary risk teams, and Risk Committee of the board of directors represent the second line. The third line consists of our Controlling Department, subsidiary internal audit functions and Audit Committee of the board of directors. Our Chief Technology Officer has over 15 years of information technology experience, including over a decade in leadership positions. He is supported by IT, information security and data protection professionals from our Technology Leadership Centre with extensive experience, including from regulatory agencies. At the subsidiary level our management team has varying degrees of technology, operational and cybersecurity experience, including experience in mitigating and responding to cybersecurity incidents and managing associated risks. Our Chief Technology Officer leads cybersecurity risk management improvement initiatives as part of our technology strategy, coordinated and monitored by experts from our Technology Leadership Centre. In contrast, the program’s implementation at our subsidiaries is largely delegated to the subsidiary staff. Significant subsidiaries at least annually provide updates on their implementation progress, significant cybersecurity incidents, and risks to their senior executives and the experts from our Technology Leadership Centre. The experts periodically consolidate and analyze information about the cybersecurity risk management program, cybersecurity incidents and risks, key initiatives, and other matters relating to cybersecurity processes for reporting to our Chief Technology Officer and our Chief Risk Officer. Both officers at least quarterly report to the Risk Committee of the board of directors. Our Chief Technology Officer also at least annually reports directly to the board of directors including on cybersecurity initiatives, notable incidents, and risks. Our Chief Risk Officer at least annually reports directly to the board of directors including on cybersecurity incidents and risks. Our overall cybersecurity risk management is overseen by the Risk Committee of our board of directors who assists our senior management and the board of directors with their overall risk management responsibilities. Audit or assurance procedures of Controlling Department, internal audit departments and other functions include testing of IT, information security and data protection controls. Our financial reporting department ensures financial performance reliability under U.S. regulatory requirements and provides an independent objective assurance to evaluate the effectiveness of our governance. The department is directly subordinate to the Audit Committee of our board of directors. Notwithstanding our defensive measures and processes, the threats posed by IT failures and cyber-attacks are always present. The potential impact of risks from IT incidents, including whether such IT incidents may be associated with cybersecurity threats to the Company, is assessed on an ongoing basis. We do not maintain insurance policies to mitigate cybersecurity risks because such insurance may not be available or may be more expensive than the perceived benefit. Further, any insurance that we may purchase to mitigate certain risks may not cover all losses. For further discussion of risks from cybersecurity threats, see the section captioned " Risks Related to Information Technology and Cybersecurity" in " Risk Factors " in Part I Item 1A of this annual report.

Company Information