OPPENHEIMER HOLDINGS INC - (OPY)

10-K Filing Date: March 01, 2024
Item 1C. CYBERSECURITY

Cybersecurity presents significant challenges to the business community in general, including to the financial services industry. Increasingly, bad actors, both domestic and international, attempt to steal personal data and/or interrupt the normal functioning of businesses through accessing individuals' and companies' files and equipment connected to the internet. Recent incidents have reflected the increasing sophistication of intruders and their intent to steal personally identifiable information as well as funds and securities. These intruders sometimes use instructions that are seemingly from authorized parties but in fact, are from parties intent on attempting to steal. In other instances these intruders attempt to bypass normal safeguards and disrupt or steal significant amounts of information and then either release it to the Internet or hold it for ransom. Regulators are increasingly requiring companies to provide heightened levels of sophisticated defenses. The Company maintains processes and systems with an aim to preventing any such attack from disrupting its services to clients as well as to prevent any loss of data concerning its clients, their financial affairs, as well as Company privileged information.

Our management is actively involved in the oversight of our cybersecurity risk management program, We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations. We have incorporated cybersecurity processes to assess, identify and manage risks from cybersecurity threats into our overall risk assessment process. The Company maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The National Institute of Standards and Technology Cybersecurity Framework helps the Company inform its cybersecurity agenda and prioritize its cybersecurity activities. The Company takes a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect the Company’s operations, finances, legal or regulatory compliance, or reputation. The Company has processes in place for assessing, identifying and managing material risks from cybersecurity threats along with risk assessment procedures designed to allow such processes to remain responsive to emerging risks. Our processes include, but are not limited to, the following:

we engage third-party cybersecurity firms and tools to assist with network monitoring, endpoint protection, vulnerability assessments and penetration testing;
we engage cyber security consultants, auditors, and other third parties to assess and enhance our cybersecurity practices, such as to perform tabletop exercises and evaluate our cyber processes including an assessment of our incident response procedures. Identified risks are formally tracked until mitigated or eliminated;
we perform regular scanning of our systems to identify and resolve critical vulnerabilities;
we provide periodic training and testing, including phishing tests, to help our employees understand cybersecurity risks and their responsibility in mitigating those risks; and
we insure against potential losses from cyber incidents by maintaining cybersecurity insurance.

We have a written incident response plan that identifies the steps to be taken in response to a cybersecurity incident that includes investigation, escalation and remediation provisions. The incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management.

We have processes to evaluate third party service providers and vendors that have access to sensitive systems and Company and customer data, which may include the use of cybersecurity questionnaires and due diligence procedures such as assessments of that service provider’s cybersecurity posture.

Management’s Role

Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by the Company’s CIO and the Company’s CISO, who reports to the Company’s CIO. The CIO and his direct reports, including the CISO, discuss action items related to risks at a standing monthly meeting. The CISO and many members of his team have multiple decades of cybersecurity related experience. Risk reporting is provided at monthly meetings of the firm’s cross-business Cybersecurity Committee and periodic presentations to the firm’s Risk Management Committee, at which many members of the Company’s senior management are present.

32

The CEO meets regularly with the CIO to discuss cybersecurity threats and existing and potentially new technology systems including those related to cybersecurity. The CIO and CISO have a standing monthly meeting with the President and General Counsel to discuss potential vulnerabilities in the cyber environment. The President formerly ran the Information Technology Department at the firm and as a result has significant systems experience including experience related to cybersecurity.

Board Oversight

The Board of Directors, both directly and through the Audit Committee, oversees Management’s responsibility of ensuring proper functioning of our cybersecurity risk management program. In particular, the Audit Committee assists the Board in its oversight of management’s responsibility to assess, manage and mitigate cybersecurity risks. The Audit Committee receives a cybersecurity update at each regular meeting of the Board covering cybersecurity risks, cybersecurity staffing and staff development including certifications and training. These updates are given either in person by the CIO and CISO or in written presentations created by them.

As of the date of this filing, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the Company’s business strategy, results of operations or financial condition. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. Given the continuing reports of cyber incidents in general, we believe that the Company will most likely continue to be a target of cybersecurity attacks by bad actors.

For additional information on how risks from cybersecurity threats may adversely affect the Company see “Item 1A. Risk Factors-Risks Related to Our Business” of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.