STIFEL FINANCIAL CORP 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

STIFEL FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:24:20 EST.

Filings

10-K filed on 2026-02-24

STIFEL FINANCIAL CORP filed a 10-K at 2026-02-24 16:24:20 EST
Accession Number: 0001193125-26-067130

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain an information security program and governance framework that are designed to protect our information systems against risks related to cybersecurity. Cybersecurity Risk Management and Strategy We define information security and cybersecurity risk as the risk that the confidentiality, integrity, or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification, or destruction. 24 Information security and cybersecurity risk are incorporated into our comprehensive Enterprise Risk Management ("ERM") program, which we use to identify, aggregate, monitor, report, and manage risks. The WISP is our enterprise program for managing information security and cybersecurity risk and is designed to operate in alignment with applicable regulatory requirements and industry standards. The WISP deploys layered technical, administrative, and operational controls to identify, protect, detect, respond to, and recover from cybersecurity incidents. These controls are monitored by internal subject-matter experts, periodically supplemented by independent third-party assessors, and operated through a Security Operations Center designed to integrate detection, response, and recovery capabilities. The WISP includes our Incident Response program and our Security Incident Response Plan ("SIRP"), which provide documented procedures for managing incidents, including handling high-severity events, conducting forensic investigation, coordinating cross-functional response, and supporting regulatory and stakeholder notification. We perform independent third-party penetration testing at least annually for critical systems, run tabletop exercises for technical teams and senior management at least annually, and perform vulnerability scanning with risk-based remediation service-level objectives for critical findings. Associates receive annual cybersecurity awareness training and participate in regular phishing simulation campaigns to maintain awareness. The WISP is reviewed and updated at least annually and when warranted by material changes to business operations, technology, threats, or regulatory requirements. Our cybersecurity program includes baseline "security hygiene" practices intended to reduce avoidable incidents and maintain operational readiness, including timely patching, enforcement of least privilege, secure configuration standards, and logging, monitoring, and alerting for critical systems and user activity. We also maintain programs and controls intended to detect and respond to emerging threats, including vulnerability management practices, threat intelligence, and escalation processes. We enforce multifactor authentication for remote and privileged access and maintain privileged access management controls for administrative accounts. The WISP incorporates reviews by our Internal Audit department and external third-party experts. Periodic independent third-party maturity assessments are conducted against the NIST Cyber Security Framework. Investments in threat intelligence, collaboration with peers, vulnerability management, incident response drills, and participation in industry and government forums are also part of our program. Cybersecurity risks related to third parties are managed as part of our procurement, vendor risk, and contracting processes, including risk-based due diligence, ongoing monitoring, and reassessment of third parties based on risk and criticality. Our program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring, and termination. Our program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit, or destroy our information or have access to our systems may have additional security requirements, depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls. Where appropriate, the Company seeks to incorporate contractual language with third-party service providers that addresses security requirements, incident notification expectations, and data handling obligations. In addition, our information security program includes controls intended to help manage technology supply chain risk, including requirements and controls for higher-risk vendors and external dependencies. We also face cybersecurity risks related to our use of cloud technologies and external service providers. Our program includes cloud security requirements and practices intended to help manage risks, as well as risk-based assurance practices for cloud service providers. Our program also includes security requirements for cloud-native technologies, including controls intended to help manage vulnerabilities, secure configuration, segmentation, and secrets management. The development and use of AI presents risks and challenges that are addressed through governance and risk management practices. We, or our third-party service providers, may develop or incorporate AI technology in certain business processes, products, or services. The legal and regulatory environment relating to AI is uncertain and rapidly evolving, which could require changes in our potential use and implementation of AI technology, limit our ability to integrate AI, and increase our compliance costs and the risk of non-compliance. In addition, AI may produce output or take action that is incorrect, infringe on the intellectual property rights of others, or is otherwise harmful, and the complexity of AI may make it challenging to understand why they generate particular outputs. We maintain governance and security requirements intended to encourage responsible use of AI while protecting Company and client data and supporting compliance with applicable legal and regulatory requirements. These requirements include governance oversight for AI use cases, an inventory of AI usage, and security requirements intended to help protect confidentiality, integrity, and availability of systems and data used to develop, deploy, and operate AI-enabled capabilities. We also evaluate AI-related risks and incident considerations as part of our broader cybersecurity and operational resilience practices. While we do not believe that our business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity incidents to date, cybersecurity threats are pervasive, and, similar to other global financial services firms, we, as well as our clients, associates, regulators, service providers, and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. See Item 1A - Risk Factors of this Form 10-K for additional information on cybersecurity risks. 25 Cybersecurity Governance Under our information security framework, our Board and our Risk Management Committee are primarily responsible for overseeing and governing the development, implementation, and maintenance of our WISP, with the Board designating our Risk Management Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives periodic updates on cybersecurity from our Chief Information Security Officer ("CISO") or their designee . Our Risk Management Committee receives reports on cybersecurity at least four times a year, with ad hoc updates as needed. In addition, our Risk Management Committee annually approves our WISP. Our Operational Risk Committee ("ORC") provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor, and report information security risks associated with our information and information systems. The ORC escalates risks to the Risk Management Committee or our Board based on the escalation criteria provided in our information security framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through several channels, including periodic and annual reports, with the annual report also provided to our Risk Management Committee and the ORC. Our CISO leads the cybersecurity strategy across the Company and is responsible for providing updates to governance committees and management on the WISP and other information security and cybersecurity matters, as well as ad hoc updates as needed. The CISO's responsibilities include overseeing the identification, analysis, and escalation of security threats and alerts, and ensuring that security alerts and incidents are appropriately escalated and communicated to designated management and governance forums, consistent with our incident response and escalation procedures. Strategy and program status is reported to the ORC and the Board on a periodic basis, and the Board schedules special sessions dedicated to Information Security, as needed. The CISO has been with the Company since 2023 and has over 29 years of information technology and cybersecurity experience.

Company Information