DIAMOND HILL INVESTMENT GROUP INC - (DHIL)

10-K Filing Date: February 29, 2024
ITEM 1C.Cybersecurity
The Company is subject to several material risks related to cybersecurity threats. A cybersecurity attack could prevent the Company from managing client portfolios, cause the unauthorized disclosure of sensitive or confidential client or employee information, and/or result in misappropriation of information or funds, which individually or collectively could severely harm its business.
The Company has an Information Security Committee (the “Committee”) to identify, assess, and manage cybersecurity risks and to implement necessary policies and procedures to mitigate those risks. The Committee also coordinates employee education efforts throughout the year. The Managing Director of Information Technology serves as the Committee chair and the day-to-day manager of the Company’s information security management systems. The Committee is comprised of members having expertise in information technology infrastructure, data security, risk management, compliance, and business continuity and recovery efforts. The Committee identifies and assesses risks by understanding and evaluating the Company’s systems, processes, data, and controls. This information is then augmented through participation by certain Committee members in industry threat intelligence groups designed to share best practices and emerging threats related to cybersecurity. The Committee also completes a full cybersecurity risk assessment annually, which drives the implementation of policies and procedures as well as the scope of third-party testing. The Committee has implemented a comprehensive set of cybersecurity policies and procedures that follows standards established by the International Organization for Standardization (“ISO 27001”). Included are policies and procedures to oversee, identify, and mitigate the Company’s cybersecurity risks as well as cybersecurity risks to the Company associated with its significant service providers and vendors. The Company’s cybersecurity policies and procedures have been independently certified by a third-party as compliant with the ISO 27001 standard. The Committee engages multiple third-party experts to perform penetration tests on a periodic basis, and to assess whether these policies and procedures are designed appropriately and operating effectively.
Cybersecurity oversight forms part of the Board’s risk oversight of the Company. The Board oversees efforts by management to manage the cybersecurity risks to which the Company may be exposed. The Board receives at least annual reports and meets periodically with the Chief Compliance Officer and the Managing Director of Information Technology, both of whom serve on the Committee. From its review of these reports and discussions with the Committee and management, the Board ensures it has sufficient awareness of the material cybersecurity risks to which the Company is exposed, enabling a dialogue about how management manages and mitigates those risks. The Board currently has three members who have obtained certifications in cybersecurity oversight.


15

© 2024 Material-Incidents. All rights reserved.