WESTWOOD HOLDINGS GROUP INC - (WHG)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity.
Over the past several years we have invested significantly to enhance our cybersecurity governance. We have expanded our control access to data and systems, invested in firewalls and security systems, elevated internal awareness through trainings and exercises, and upgraded our systems, programs and intrusion monitoring.
19
We conduct periodic vulnerability assessments based on our use of technology, third party vendor relationships and reported changes in cybercrime methodologies, and in response to any attempted cyber incident, among other circumstances.
We protect all the assets of our clients and safeguard the proprietary and confidential information of Westwood and its employees, which is a fundamental responsibility of every Westwood employee. Westwood is responsible for distributing our policies and procedures to employees and conducting appropriate employee training to ensure employees’ adherence to our policies and procedures. Repeated or serious violations of our policies by employees or independent contractors may result in disciplinary action against such persons, which may include restricted permissions or prohibitions and/or termination.
Our President and Chief Operating Officer is responsible for reviewing, maintaining and enforcing our policies and procedures to ensure we meet our overall cybersecurity goals and objectives, while at a minimum, ensuring compliance with applicable federal and state laws and regulations.
We have also designed procedures to implement our cybersecurity policy, minimize cybersecurity threats to our clients and conduct reviews to monitor and ensure our policy is observed, properly implemented and amended or updated as necessary, including cybersecurity oversight, periodic risk assessments and external consultant reviews, access restrictions, ongoing training, governance policies and procedures, authentication protocols, secure access measures, and policies for elevating suspicious activities.
Westwood has an established vendor management policy, which considers risks related to new or existing vendors, defines new vendor selection, vendor renewal, vendor monitoring and vendor risk assessment. The review of vendors is led by our Chief Compliance Officer and each vendor relationship owner, and involves reviewing System and Organization Controls reports, Statement on Standards for Attestation Engagements number 18 reports, and other reviews of internal controls.
Westwood’s Board is responsible for overseeing the effective execution of our overall cybersecurity programs. Along with management, our Board reviews our cybersecurity efforts and programs and is informed of cybersecurity risks primarily through discussions with management, trainings and exercises.
Westwood relies on its Board, in conjunction with senior management members, to ensure ongoing success of its cybersecurity environment. Our Board’s responsibilities include, but are not limited to:
a.Overseeing effective implementation of our cybersecurity initiatives and alignment with agreed policies and strategies;
b.Oversight of the continued and consistent implementation of our cybersecurity policies and procedures; and
c.Promoting overall corporate commitment to cybersecurity.
Westwood management is responsible for the execution of the framework for the management of our information security. These responsibilities include, but are not limited to:
a.Designing, implementing and executing our framework over information security management;
b.Reviewing and updating our policies and procedures annually;
c.Assigning all data within Westwood to an appropriate owner, and ensuring data owners have knowledge of such data and have an information classification selected for that data;
d.Ensuring annual compliance with our information security management policies and procedures;
e.Application and execution of our risk management framework in the event of a potential issue; and
f.Development and execution of an action plan for each potential issue to address risks via remediating, mitigating, accepting or closing the issue.
Our management members, specifically our Chief Executive Officer, Chief Financial Officer, President and Chief Operating Officer, Information Security Officer and Chief Compliance Officer, have cybersecurity expertise gained through years of training, internal and external discussions, numerous learning exercises, and development, execution and evaluation of our cybersecurity policies.
If a potential cybersecurity breach were to be identified, management would implement its incident response plan. This plan, which provides for a quick, effective and orderly response to information security incidents relies on our Incident Response Team (“IRT”) to report findings to management and the appropriate authorities as necessary. The IRT, comprised of various cross-functional subject matter experts, is also responsible for:
a.Detecting and analyzing suspicious events that might indicate an event has occurred;
b.Containing, eradicating and restoring normal operations if an event has occurred through quick responses, isolating and preserving evidence to aid in remediation and assisting investigators, isolating additional systems from
20
being impacted by the situation being remediated, tracking issues, communicating a strategy and protocol to follow to maintain control of information and confidentiality and to ensure members of the IRT and Westwood management are kept informed of issues as the incident develops and is resolved, and developing and implementing strategies for ensuring the integrity of impacted information systems and critical information hosted on those systems.
In the event of a cybersecurity breach Westwood management notifies our Board as soon as practicable, along with affected parties including clients, regulatory bodies, third parties and employees, as necessary and required by applicable laws and regulations.