MIAMI INTERNATIONAL HOLDINGS, INC. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

MIAMI INTERNATIONAL HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 07:29:31 EST.

Filings

10-K filed on 2026-03-06

MIAMI INTERNATIONAL HOLDINGS, INC. filed a 10-K at 2026-03-06 07:29:31 EST
Accession Number: 0001438472-26-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As a highly regulated company, we maintain policies, procedures, and controls designed to safeguard against material risks from cybersecurity threats by protecting the confidentiality, integrity, availability, and reliability of our systems, networks, and information. These policies, procedures, and controls are subject to monitoring, auditing, and evaluation practices pursuant to our cybersecurity and risk programs, which are supported by a defense strategy that includes: the Enterprise Risk Management Department, the Information Security Department, the Business Systems Development Department, the Legal Department, the Compliance and Regulatory Department, the Internal Audit team, and the Board of Directors and Risk Committee of the Company. We have developed and conduct at least annually cybersecurity awareness training programs for our employees. We also regularly engage an independent third-party to conduct cybersecurity penetration tests and conduct our own vulnerability assessments and security incident response readiness tabletop exercises. In addition, the information technology systems of our self-regulatory organizations are subject to periodic reviews, audits, and inspections by regulatory authorities. We also conduct diligence on cybersecurity practices in connection with our overall risk assessment when evaluating potential acquisitions and new products. As described herein, the processes that we have adopted for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management systems. We engage assessors, consultants, auditors, and other third parties, on an as needed basis, in connection with testing and designing our information security and cybersecurity controls and processes. For example, we engage third parties to assist with cybersecurity threat detection, conduct penetration tests, run security incident response readiness tabletop exercises, and conduct cybersecurity resiliency assessments. We strive to utilize best practices in our information security and cybersecurity management and follow applicable industry standards. In support of our risk management framework, we maintain a third-party security policy and a vendor management policy and program to manage risks from third-party service providers. Embedded in these policies is a defined process to assess the risks related to new third-party service providers. We follow a risk-based approach and conduct due diligence review of third-party service providers for potential cybersecurity risks to the Company. To date, we are not aware of risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. We cannot assure you that we will not experience risks from future threats or incidents that may be material. Please also refer to the risk factors above for additional information. Governance The Board provides oversight of risks from cybersecurity threats and has designated primary responsibility to the Risk Committee, which oversees our information security programs, including cybersecurity, and is actively involved in monitoring the progress of our key cybersecurity initiatives. The Risk Committee receives updates and reports on information security-related topics, including cybersecurity risks, from senior management, including from the Company's Chief Risk Officer & Chief Information Security Officer. These updates and reports include presentations from senior management on cybersecurity architecture and resiliency, incident management, the results of business continuity and disaster recovery exercises, significant data privacy matters, insider threats, the results of cybersecurity monitoring and testing and the status of any remediation items thereto, information related to third-party cyber assessments, risks associated with the use of third-party service providers, and material changes to information technology programs. Further, summaries of the proceedings from prior Risk Committee meetings are provided to the Board on a routine basis. We have internal incident response and management teams, and dedicated positions for managing and assessing material risks from cybersecurity threats, including our Chief Risk Officer & Chief Information Security Officer, the Computer Security Incident Response Team ("CSIRT"), and a dedicated internal information security team. Our Chief Risk Officer & Chief Information Security Officer has extensive experience in the industry. He has served as the Chief Risk Officer of the MIAX Exchanges since joining us in 2011 and as the Chief Information Security Officer of the Company and the MIAX Exchanges since 2017. He has served as the Chief Risk Officer for the Company since 2022. We believe that combining the roles of the Chief Risk Officer and Chief Information Security Officer has several benefits, including the assurance that the information security functions benefit from alignment with the risk management appetite of the Company and that the need for strong information security controls is embedded within the risk management framework and maintained by a representative of senior management. The Company's cybersecurity strategy and roadmap was developed and is maintained by our Chief Risk Officer & Chief Information Security Officer in consideration of applicable information security regulatory requirements of a highly regulated financial market operator and evolving industry standards. He is currently responsible for oversight of the Company's risk management functions, including the enterprise risk management, information security, data privacy, and information technology asset management programs. The Information Security Department is staffed with personnel and equipped with tools available on a 24 x 7 basi s. The Security and Risk Management team is comprised of experienced professionals with strong academic and technical backgrounds in information technology and cybersecurity. Team members hold graduate degrees in technology-related disciplines and maintain a range of industry-recognized certifications, including Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), and specialized certifications in network security, firewall administration, and endpoint security. This combination of advanced education, professional certifications, and hands-on experience enables the team to design, implement, and oversee robust security and risk management frameworks aligned with industry best practices and regulatory expectations. Potential cybersecurity incidents may be reported by anyone or any tool, including system operators, users, or security control alerts. We maintain a vulnerability management program in which we regularly scan network elements and computer systems pursuant to our written Vulnerability Management Policy. Information security analysts in the Information Security Department are responsible for triaging potential cybersecurity incidents. The CSIRT is responsible for determining whether a cybersecurity incident has occurred or is in progress and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company's written Security Incident Response Standard and Plan. Cybersecurity incidents are tracked and documented pursuant to processes described within our Incident Management Policy and Security Incident Response Standard and Plan. Potential cybersecurity incidents may also be reported to our responsible senior management team and Disclosure Committee to determine if further action and/or public disclosure is required. Responsible persons report information about the material risk from cybersecurity threats to the Board and/or the Risk Committee with the frequency and detail merited by the severity of the cybersecurity threats.

Company Information