Cohen & Co Inc. - (COHN)
10-K Filing Date: March 06, 2024
Risk Management and Strategy
The Company has processes in place to identify, assess and monitor material risks from cybersecurity threats, which are part of the Company’s overall enterprise risk management process and have been embedded in the Company’s operating procedures, internal controls and information systems.
The Company’s comprehensive cybersecurity and information security framework includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. The framework leverages the National Institute of Standards and Technology Cyber Security Framework (“NIST CSF”) for measuring overall readiness to respond to cyber threats, and Sarbanes-Oxley for assessment of internal controls.
The Company contracts with external firms to assess the Company’s cybersecurity controls relative to its peers using the NIST CSF. The Company also has a third-party risk management program that assesses risks from vendors and suppliers. In addition, the Company maintains business continuity and disaster recovery plans as well as a cybersecurity insurance policy.
The Company has established cybersecurity and information security awareness training programs. Formal training on topics relating to the Company’s cybersecurity, data privacy and information security policies and procedures is mandatory at least annually for all employees. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Based on role and location, some employees receive additional in-depth training to provide more comprehensive knowledge on potential risks related to their individual job responsibilities. Training is supplemented through regular Company communications with frequent updates to educate on the latest adversary trends and social engineering techniques. Certain employees also obtain industry certifications, such as Certified Information Systems Security Professional or Certified Information Security Manager.
The Company engages in cyber crisis response simulations to assess the Company’s ability to adapt to information and operational technology threats. Improper or illegitimate use of the Company’s information system resources or violation of the Company’s information security policies and procedures is subject to disciplinary action. The Company’s security posture is supported by a comprehensive defense-in-depth strategy that relies on layers of technology including Multi-Factor Authentication and principles of Zero Trust to ensure that access to information and communication is vetted and secure.
The Company also utilizes internal and external audits and assessments, vulnerability testing, governance processes over outsourced service providers, active risk management and benchmarking against peers in the industry to validate the Company’s security posture. The Company also engages external firms to measure the Company’s NIST CSF maturity level.
No risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, results of operations or financial condition.
Governance
Role of the Board and Management
The Company’s Board recognizes the importance of cybersecurity in safeguarding the Company’s sensitive data. The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage and mitigate risk, at least annually. The Board has delegated responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Company’s Management Cybersecurity Committee (the “Cybersecurity Committee”).
Pursuant to its charter, The Cybersecurity Committee must consist at least four (4) members of Company’s executive management team, which shall include the Company’s Director of Technology, Chief Operating Officer, Chief Compliance Officer and Chief Financial Officer, each of whom is required to have working familiarity, knowledge and competencies in relevant areas, including data privacy, public policy, information technology (“IT”) strategy, IT development and deployment, or IT risk assessment and management, including information security management. In addition, the Company’s Director of Technology has formal education in information technology and extensive experience working in and leading the Company’s information systems and technology function.
The principal responsibilities and duties of the Cybersecurity Committee, pursuant to its written charter, are to:
● | Review and provide oversight on the effectiveness of the Company’s information security and privacy policies and procedures with respect to its products and services and internal-use information technology systems; |
● | Review and provide oversight on the policies and procedures of the Company in preparation for responding to any material information security or privacy incidents; |
● | Review and provide oversight on the Company’s disaster recovery, business continuity, and business resiliency capabilities, including escalation protocols, relating its customer-facing products and services and internal-use information technology systems; |
● | Review annually the appropriateness and adequacy of the Company’s cyber-insurance coverage; |
● | Review and provide oversight on the policies and procedures of the Company with respect to data privacy, and oversee the Company’s compliance with applicable data privacy and cybersecurity laws and regulations; |
● | Evaluate the Cybersecurity Committee’s composition and performance on an annual basis; |
● | Review and reassess the adequacy of the Cybersecurity Committee’s written charter annually and recommend to the Board any changes the Cybersecurity Committee determines are appropriate; |
● | Perform any other activities required by applicable law, rules or regulations (including the Securities Exchange Act of 1934 and The NYSE American Stock Exchange regarding reporting and disclosure obligations related to cybersecurity risks, costs, and incidents), and take such other actions and perform and carry out any other responsibilities and duties delegated to it by the Board or as the Cybersecurity Committee deems necessary or appropriate consistent with its purpose. |
The Cybersecurity Committee, including the Company’s Director of Technology, receive regular updates from the Company’s management on cybersecurity matters, results of mitigation efforts and cybersecurity incident response and remediation.