NASDAQ, INC. 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

NASDAQ, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:29:07 EST.

Filings

10-K filed on 2026-02-12

NASDAQ, INC. filed a 10-K at 2026-02-12 16:29:07 EST
Accession Number: 0001628280-26-007703

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Na sdaq's brand and role as a critical infrastructure provider for global financial markets, the operator of The Nasdaq Stock Market and exchanges, central securities depositories and a clearinghouse in Europe, and the provider of information and technology services to banks, international market operators and exchanges, publicly-traded companies and other high-profile customers make us an attractive target for cybersecurity threat actors and attacks. These include adversarial nations and state-sponsored actors, hacktivists and ransomware deployers or other financially motivated criminals. Impacts of a cybersecurity incident may include: financial and reputational damage, resulting from the loss of customer confidence in our company, exchange, products or offerings; potential regulatory enforcement actions; or litigation, either from governmental authorities, shareholders, or other litigants, including customers asserting our failure to comply with contractual obligations. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business, our business strategy, our results of operations or financial condition. For further information, see "Our role in the global marketplace positions us at greater risk for a cyberattack" and "Expanded cybersecurity regulations, and increased cybersecurity infrastructure and compliance costs, may adversely impact our results of operations" in "Item 1A, Risk Factors" of this Annual Report on Form 10-K. Our risk management and mitigation approach includes the adoption of NIST CSF and NIST 800-53 security control frameworks and adaptive ong oing threat analysis. In addition, our Information Security, or InfoSec, team reviews and conducts a risk assessment of any novel technologies Nasdaq plans to implement. Our policies and our baseline security controls incorporate a security infrastructure with multi- layered defense systems. We have 18 System and Organization Controls Type 2, or SOC 2, certifications with respect to our information security and infrastructure. Our adaptive analysis monitors the threat landscape relevant to Nasdaq, our vendors and financial industry peers, and threats arising from geopolitical events. As the external threat landscape evolves, our information security controls are regularly evaluated, updated and enhanced to help protect against emerging risks. Additionally, we conduct extensive cybersecurity assessments of our acquired entities, both prior to acquisition and following completion of the transaction, to understand potential threats and mitigate risks from any potential deviations between the acquired company's practices and Nasdaq's standards, until we can align the 32 acquired company's security infrastructure and access management practices and policies with ours. We periodically engage external advisors to perform an independent assessment of the maturity of Nasdaq's information security programs, and compare our programs to our financial and technology industry peers. Nasdaq's InfoSec program has demonstrated increasing levels of maturity year-over-year for every assessed program component. R ecommendations to further enhance our procedures and maturity ratings from these assessments are then presented to our executive management team and the Audit & Risk Committee. On a periodic basis, our management team and the Board of Directors conduct tabletop exercises and simulations on cybersecurity matters, with assistance from internal and outside experts. These exercises are intended to strengthen resilience and readiness to address different cybersecurity incident scenarios. We use certain cloud-based third-party vendors for the core trading systems of certain of our exchanges and certain of our governance products and solutions. Prior to engaging such vendors, we analyze each provider's SOC2 certifications, perform due diligence testing for information security and interoperability with our systems, and annually review the SOC2 certifications. Our security assurance and threat assessment team, within our Information Security organization, collaborates with our external threat intelligence providers to proactively review Nasdaq, and our vendors with respect to emerging threats and associated risks. For our third-party service providers, our risk assessment process evaluates the probability and potential impact of incidents related to operational errors, technology disruptions, information security breaches, workforce issues, internal and external fraud, financial actions, and legal and regulatory matters. This assessment process is part of our Supplier Risk Management program, which establishes processes for identifying, assessing, and periodically reviewing our exposure to risk through third party vendors. Governance Cybersecurity is an integral part of risk management at Nasdaq. The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, and mitigation of the effect any such incidents may have on us. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role. We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee , which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, Global Technology and Corporate Communications, comprise a rapid response team that would mobilize in the event of a potentially significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team . The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture. This regular reporting to the Audit & Risk Committee also includes a cybersecurity dashboard that contains information on cybersecurity governance processes, and from time to time, also includes the status of projects to strengthen internal cybersecurity, ongoing prevention and mitigation efforts, security features of the products and services we provide our customers, or the results of security events during the period. The Audit & Risk Committee also reviews and discusses recent cyber incidents affecting the industry and the emerging threat landscape. Cybersecurity is a shared responsibility, and our goal is for all employees to be vigilant in helping to protect our organization and themselves, at all times. We routinely perform simulations and tabletop exercises, and incorporate external resources and advisors as needed, to help strengthen our cybersecurity protection and information security procedures and safeguards. All employees are required to complete annual cybersecurity awareness training and have access to continuous cybersecurity educational opportunities throughout the year. All employees also have access to Nasdaq's Information Security Hotline, which is staffed on a 24/7 basis to respond to any potential incident; we have a strict non-retaliation policy that applies to any reporting of concerns related to our business. Nasdaq also maintains a cybersecurity and information security risk insurance policy, and our Nasdaq Information Security Management System conforms to ISO 27001 requirements and is ISO 27001 certified. On an annual basis, the Information Security team reviews and updates its governance documents, including the Information Security Charter, the Information Security Policy, and the Information Security Program Plan, and then presents the revised documents to the Global Risk Management Committee and Audit & Risk Committee for review and/or approval. Additionally, the Information Security team maintains a formal cybersecurity strategic three-year plan, which outlines the strategic vision and associated goals for the cybersecurity of our global operations. The plan is regularly updated with new initiatives that align with technology innovations and changes in the threat landscape, and is reviewed and approved by the CISO 33 and the Audit & Risk Committee. Throughout the three-year plan term, the CISO regularly provides management with progress reports.

Company Information