COHEN & STEERS, INC. 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

COHEN & STEERS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 08:49:37 EST.

Filings

10-K filed on 2026-02-27

COHEN & STEERS, INC. filed a 10-K at 2026-02-27 08:49:37 EST
Accession Number: 0001284812-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity is a crucial component of our enterprise risk management program. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and information relating to our clients and investments. Our cybersecurity risk management function is led by our Cybersecurity Management team which is comprised of our Chief Information Security Officer (CISO), Chief Technology Officer (CTO), members of our Information Technology (IT) department, as well as members of our Legal and Compliance Departments. Our Cybersecurity Management team is primarily responsible for developing, implementing and monitoring our cybersecurity program and reporting on cybersecurity matters to senior management as well as our board of directors. Members of our Cybersecurity Management team identify and assess risks from cybersecurity threats by monitoring our threat environment and the Company's enterprise risk profile using various manual and automated tools as well as by: (i) utilizing shared information about vulnerabilities and exploits from professional security organizations, reports or other services that identify cybersecurity threats and through the use of external intelligence feeds; (ii) analyzing reports of threats and actors; (iii) conducting periodic vulnerability scans of the Company's IT environment; (iv) evaluating our and our industry's risk profile; (v) evaluating threats that are reported to us; (vi) coordinating with law enforcement concerning threats; (vii) conducting internal and external audits of our information security control environment and operating effectiveness; and (viii) conducting threat assessments for internal and external threats, including through the use of third party assessments and vulnerability assessments. We implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats, including, but not limited to: - technical and physical safeguards : (i) real-time security information and event monitoring of systems, workstations, servers and networks, and periodic internal and external vulnerability scans; (ii) asset management tracking and disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from Company personnel and from third parties regarding issues and signs of potential incidents; and (vi) logical access controls and network security controls; and - organizational safeguards : (i) incident response plans that address our response to a cybersecurity incident; (ii) personnel and vendors dedicated to overseeing the Company's cybersecurity program; (iii) periodic mandatory employee cybersecurity training; (iv) periodic risk assessments and testing of our policies, standards, processes and practices designed to address cybersecurity threats and incidents; (v) policies and programs such as security standards, a vendor risk management program, a vulnerability management policy and disaster recovery and business continuity plans; and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents. Cybersecurity risk management is integrated into the Company's overall enterprise risk management (ERM) process. For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by our information technology security team; (ii) internal and external penetration tests are performed to identify vulnerabilities and findings are risk ranked based on potential likelihood and impact; and (iii) members of Cybersecurity Management report on cybersecurity risk management and related matters to the audit committee of the board of directors, as part of their ongoing evaluation and oversight of overall enterprise risk pursuant to non-exclusive authority delegated by the board of directors. We use third-party service providers to assist us in identifying, assessing and monitoring material risks from cybersecurity threats, including through penetration testing, provision of threat intelligence and continuous monitoring of our environment. We report key findings to the audit committee of the board of directors and, if appropriate, the board of directors and adjust our cybersecurity policies, standards, processes and practices as necessary based in part on information provided by these assessments and engagements. We also use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies and supply chain resources. We maintain a risk-based approach to identifying and overseeing cybersecurity risks and vulnerabilities presented by our engagement of third parties, as well as the information systems of 17 third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Our vendor risk management program may involve different assessments designed to help identify cybersecurity risks including: (i) risk assessments; (ii) security questionnaires; (iii) audits; (iv) vulnerability scans; (v) review of the vendor's written security program, security assessments and other reports; (vi) evidence of cybersecurity preparedness through a System and Organization Controls (SOC) 1 or SOC 2 report; and (vii) the imposition of contractual obligations on the vendor . For a description of the risks from cybersecurity threats that may materially affect the Company, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the caption "We could incur financial losses, reputational harm and regulatory penalties if we fail to implement effective information security policies and procedures." Governance Our cybersecurity risk assessment and management processes are implemented and maintained by members of our Cybersecurity Management team, including our: - Chief Information Security Officer (CISO) : Leads the information security group and program within the IT department, bringing over 25 years of cybersecurity and financial services experience. Holds Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) credentials and is registered with FINRA for Series 99. The CISO has held similar leadership roles at other financial institutions. - Chief Technology Officer (CTO) : Oversees the IT department, leveraging more than 29 years of experience in information technology, including senior leadership positions at other financial services organizations. - Head of IT Infrastructure : Manages the infrastructure and service desk functions within the IT department, with over 14 years of progressive experience in information technology roles. Members of our Cybersecurity Management team, including our CISO and our CTO, are responsible for hiring appropriate personnel, integrating cybersecurity risk considerations into the overall risk management strategy and communicating key priorities to relevant personnel. Members of our Cybersecurity Management team are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is a key component of our cybersecurity program. In the event a cybersecurity incident occurs, our incident response plan outlines roles and responsibilities and sets forth escalation points to ensure that appropriate individuals and groups across the Company are notified and provide relevant information depending on the type and severity of the incident. Based on the assessment of the potential impact to the Company, a determination regarding further escalation to the Company's senior leadership, including the General Counsel and Chief Operating Officer and members of the Executive Committee will be made. The Company's incident response team is responsible for overseeing the mitigation and remediation of cybersecurity incidents. In addition, the response plan includes prompt reporting to the board of directors (or audit committee) of certain cybersecurity incidents and related materiality and disclosure determinations. The audit committee of the board of directors actively participates in discussions regarding cybersecurity risk exposures and steps taken by management to monitor and mitigate such risks, further to their responsibility to manage, oversee and remain informed about the most significant risks to the Company and align our risk exposure with our strategic and business objectives. At least annually, the audit committee reviews the Company's cybersecurity program, including the robustness and efficacy of the overall cybersecurity program, steps taken to enhance defenses and security measures and our established plans to identify, detect and respond to potential threats. The audit committee also annually reviews and discusses the ERM process and risk assessment, as well as the Company's cyber insurance coverage. Additionally, the audit committee receives reports and communications from our CTO and our Chief Operating Officer regarding material risks and specific developments related to the changing cybersecurity landscape and the Company's operating, technology and control environment. Such reports may cover topics such as: investments made in our cyber infrastructure; technology projects and initiatives; vulnerability assessments and key findings from external cyber experts; the impact of new cybersecurity-related rules and regulations; changes in the threat environment; and evolving information security standards and market practices. As of December 31, 2025, we have not experienced any cyber incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. 18

Company Information