Morningstar, Inc. - (MORN)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The purpose of our information security program is to enable the business to effectively identify, assess, prioritize and manage cybersecurity risk in order to support our long-term corporate objectives and to protect our employees, customers, and company assets from threats to our information systems. Cybersecurity is a critical component of our enterprise risk management and the company has identified cybersecurity as one of the key risk categories it faces.
Risk Management and Strategy
Morningstar takes a risk-based approach for managing its cybersecurity program. Currently, the program is evaluated periodically, including against the NIST Cybersecurity Framework. The outcome of these reviews, as well as any changes implemented as a result of these reviews, are reported to the audit committee of the board of directors (the “Audit Committee”).
Morningstar deploys various safeguards to help protect against cybersecurity threats, including but not limited to, anti-malware (EDR) tools, email security, web filtering, multi-factor authentication and single-sign-on, regular patch cadence and vulnerability management, and hardened laptops with full disk encryption and admin permissions removed. For in-house software, Morningstar deploys various security tools to detect vulnerabilities, including but not limited to, static application security and dynamic application security testing, SAC tooling, cloud security posture management and central logging.
The InfoSec Team conducts vulnerability scans and third-party security assessments of operating systems, network devices, and web-facing applications. In order to ensure the resilience of Morningstar products, we require all products to follow enterprise-wide Disaster Recovery (DR) standards. Identified vulnerabilities and DR tasks are assigned to appropriate owners and on a weekly basis we produce a cybersecurity scorecard for each Morningstar product. These scorecards are disseminated to the relevant leadership team.
The InfoSec Team, under the supervision of the chief information security officer (CISO), has also implemented processes to evaluate cybersecurity controls of third-party service providers. As part of the Company’s processes for engaging vendors, subcontractors and other third-parties, the InfoSec Team evaluates any such entities that may process confidential information prior to conducting business with them. We evaluate the security status of our critical third parties periodically to determine whether they continue to meet our security standards.
Employees undergo annual security awareness training, and a quarterly phishing exercise is conducted. Quarterly security incident tabletop exercises are conducted with appropriate stakeholders to practice response procedures, and an annual tabletop exercise is conducted with the executive leadership team to test our enterprise resilience. The enterprise resilience team manages both disaster recovery as well as business continuity plans in preparation to recover from high-impact incidents.
51
Governance
We have a team of experienced information security professionals (InfoSec Team) headed by our CISO, who reports to our chief technology officer (CTO), a member of our executive leadership team. Our CISO holds a Ph.D. in Computer Science with a focus on Cybersecurity and Privacy and has more than 15 years of information security experience. The InfoSec Team is responsible for assessing and managing cybersecurity risks and threats. The InfoSec Team, under the leadership of our CISO, manages our Information Security Program (InfoSec Program), which has oversight of IT risk governance, IT third-party risk management, software and product security, security operations and incident management, IT compliance, technical disaster recovery, and establishing enterprise-wide information security policies and procedures.
Our CISO co-chairs an internal Security and Privacy Advisory Council (SPAC), comprised of senior leaders from the IT, Legal, Audit, and Compliance departments, that meets on a quarterly basis to discuss environmental, regulatory, and technological changes and associated risks to the security and confidentiality of our information. The InfoSec team is tasked with executing this strategy through the implementation of cybersecurity policies, procedures, and strategies. The SPAC receives regular updates on pertinent objectives of the InfoSec Program, as well as a summary of recent security events and reporting on how any incidents were resolved.
The Audit Committee reviews and discusses with management risks relating to our cybersecurity and data privacy practices and has oversight of our cybersecurity risks. Our CTO and CISO provide an update to the Audit Committee at each of its regular meetings, which covers recent trends, identifies emergent risks to our technology infrastructure, DR plan statistics, employee training metrics, and updates on vulnerability assessments and threat landscape as needed. The Audit Committee is also provided a summary of events and reporting on how any such events were resolved.
Cybersecurity Event Management
We have instituted a specific event management process for the identification and resolution of cybersecurity incidents. Cybersecurity incidents are responded to and managed by our 24-hour Security Operations Center (SOC), and technical outages/accidental occurrences are reviewed and managed by operational teams at the relevant Morningstar product and by the Technology Operations Center (TOC). Upon resolution of a cybersecurity incident, we conduct a retrospective analysis to inform our security and operational efforts going forward. We engage third parties, such as incident response service providers, as appropriate, based on the severity of the cybersecurity event and/or the work required to remediate. Upon identification of a cybersecurity event, we assign a significance rating to the event. All cybersecurity events that meet or exceed designated criteria are escalated to the CISO or Chief Information Officer (CIO). Cybersecurity events which may be significant are further escalated to the Cyber Incident Disclosure Committee (Cyber Committee).
The Cyber Committee consists of the CTO, the CIO, the CISO, the chief privacy officer, the chief legal officer, the chief communications officer, representatives of the affected business unit and/or their respective delegates.
We believe that currently we have not encountered a cybersecurity event that has had a material impact on our business, financial condition, or results of our operation. We continue to invest in our IT security infrastructure and framework and to enhance our internal controls and processes to help protect our data from cybersecurity threats. For a discussion of the risks cybersecurity threats pose to our business strategy, results of operations and financial condition, please see “Item 1A. Risk Factors — Risks Related to Our Information Technology and Security” in this Report.
52