Silvercrest Asset Management Group Inc. - (SAMG)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We regularly assess risks from information security threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our information security policies, processes, and practices. To protect our information systems from threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.

We recognize the importance of protecting information assets such as the personally identifiable information of our employees, and proprietary business information, and have adopted policies, management oversight, accountability structures and technology processes designed to safeguard this information. All our employees are required to attest annually to our information security policies and participate in regular security awareness training to protect their information and the Silvercrest data and systems to which they have access. These trainings also remind employees how to report any potential privacy or data security issues.

Our information security organization comprises internal and external resources designed to identify, protect, detect, mitigate, resolve, and recover from various threats and attacks by malicious actors. We leverage 24x7x365 monitoring tools and services to address the confidentiality, integrity, and availability of Silvercrest assets and data. Regular internal and third-party reviews are performed on our processes and technologies to validate the effectiveness of our privacy and data security controls and safeguards. We monitor industry best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive Silvercrest data. We have implemented and maintain a written proprietary security incident response plan, with defined roles and responsibilities that address notification obligations and incident response procedures to follow in the event of a data security breach. We are dedicated to business continuity and resiliency, and have documented strategies, policies, and procedures in place to protect employee, business, and client data in the event of an emergency or natural disaster.

We work with third-party service providers that proactively assess our information security program and provide us with an industry view of the cyberthreat landscape, in addition to monitoring and supporting our control environment and breach notification and response processes.

As of the date of this Annual Report on Form 10-K, information security threats have not materially affected and we believe are not reasonably likely to materially affect Silvercrest, including our business strategy, results of operations, or financial condition. Refer to the risk factor captioned “Operational risks, including the threat of cyber-attacks, may disrupt our business, breach our clients’ security, result in losses or limit our growth” in Part I, Item 1A. “Risk Factors” for more information regarding cybersecurity risks and potential related impacts on Silvercrest.

Governance

We have implemented and maintain a formal information security program, designed to develop, and maintain privacy and data security practices to protect Silvercrest assets and sensitive third-party information, including personal information. This program is governed by employees comprised of members of senior management, including our Chief Information Security Officer (“CISO”), who meet regularly and provide reports to the Board of Directors at least annually. The CISO oversees communications with the Board of Directors regarding material cybersecurity incidents and provides the Board with a summary of risks from current cybersecurity threats on a regular basis, as well as updates on managements information security program oversight and maintenance activities, and any material changes to Silvercrests information security practices and procedures.

We take a risk-based approach to information security and have implemented policies throughout our operations that are designed to address threats and our response to actual or suspected incidents. In particular, the CISO is responsible for the ongoing identification and assessment of reasonably foreseeable cybersecurity threats and based on these assessments, evaluating and overseeing the implementation of safeguards for limiting such risks, including employee training and compliance, and detection and prevention mechanisms. If an information security incident occurs, Silvercrest will assemble an incident response team responsible

36


for the identification, remediation, and post-incident review of such incident, engage outside advisors and notify third parties as appropriate and assess the materiality of the nature, scope and timing of a given incident and whether public disclosure is required.

The CISO is responsible for leading the assessment and management of cybersecurity risks. The CISO provides reports to the Board of Directors as part of the updates discussed above and regularly communicates with other members of senior management regarding information security risks.