AssetMark Financial Holdings, Inc. - (AMK)

10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity

At AssetMark, cybersecurity risk management is an integral part of our comprehensive enterprise risk management program. Our approach to cybersecurity risk management is designed to follow our industry’s best practices, identifying, monitoring, assessing and responding to cybersecurity threats and incidents. This includes managing risks related to third-party vendors and service providers and facilitating coordination across different departments of the Company.

Our program incorporates procedures for identifying the source of a cybersecurity threat or incident (including whether such cybersecurity threat or incident is associated with a third-party vendor or service provider), assessing the severity and risk of a cybersecurity threat or incident, implementing countermeasures, and reporting significant threats to management and the board of directors.

The Audit and Risk Committee, responsible for the oversight of our overall enterprise risk management program, oversees our cybersecurity program. They ensure management identifies and evaluates cybersecurity risks, implements risk management processes designed to ensure that potential cybersecurity, data privacy and information technology risks are identified, monitored, assessed and remediated, puts in place appropriate mitigation and remediation measures, and maintains our cybersecurity programs. We have established a (i) Regulatory Cybersecurity Committee which reviews new and changing regulatory requirements and recommendations and assesses any impacts on our business and (ii) an Information Security Council which enables collaboration for ongoing security incidents and emerging threats, reviews our information technology security roadmap and evaluates the current state of the information security program. Our cybersecurity programs are managed under the direction of our Chief Information Security Officer ("CISO") in consultation with our General Counsel and Chief Information Officer. Certain members of our executive team have extensive experience in assessing risks associated with cybersecurity threats, and our CISO and the cybersecurity team are certified and experienced information systems security professionals and information security managers with many years of experience and focus on preventing, detecting, mitigating, and remedying cybersecurity risks. Updates on the Company’s cybersecurity programs, material cybersecurity risks and mitigation strategies, and cybersecurity reports are provided to the Governance Committee on at least on a monthly basis and our Audit and Risk Committee receives updates on our information security programs at least annually. Such updates cover, among other topics, third party assessments of the Company’s cybersecurity programs, updates to the Company’s cybersecurity programs and mitigation strategies, and other cybersecurity developments.

38

The cybersecurity team, with external third-party involvement, conducts risk assessments and system enhancements, and provides employee training during the onboarding process and annually with additional training as we deem appropriate. We have adopted and implemented an Information Security Program that outlines our security and data protection policies and procedures. This program is approved by the CISO and is reviewed and updated at least annually, or more frequently on an as-needed basis, to account for changes in the evolving cybersecurity threat landscape as well as legal and regulatory developments. Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over critical third parties with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such third parties remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. When we do become aware that a third-party vendor or service provider has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our information systems and networks where appropriate.

In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, operations, or financial condition. However, we cannot eliminate all cybersecurity risks or provide assurances that we have not experienced an undetected. For more information about these risks, refer to the “Risk Factors—Risks Related to Intellectual Property, Data Privacy and Cybersecurity” section in this Annual Report on Form 10-K.