PJT Partners Inc. - (PJT)
10-K Filing Date: February 28, 2024
As required by Item 106 of Regulation S-K, the following sets forth certain information regarding our cybersecurity strategy, risk management, and governance.
Cybersecurity Strategy and Risk Management
Our Cybersecurity and Technology Risk Program (the “Program”) is designed to protect critical assets, scale with business growth, and identify and mitigate threats, enabling us to securely conduct the Company’s business. The Program’s design applies concepts from the frameworks of the National Institute of Standards and Technology (“NIST”) as guidelines, incorporating their applicable principles while adapting certain elements to align with our specific operational needs and objectives. The Program and other cybersecurity processes have been integrated into our overall risk management framework.
Information Security Policies and Procedures
As part of the Program, the Company has adopted Information Security Policies and Procedures (“ISP”) that utilize concepts set forth in the NIST Special Publications and Internal/Interagency Reports and other industry-accepted guidance.
26
The ISP sets forth the controls and activities designed to protect our systems and data, such as establishing network perimeter security, managing system access, monitoring user activity, and maintaining physical security. Other components of the Program related to assessing, identifying, and managing risks from cybersecurity threats include annual cybersecurity training for all employees, regular review and update of our business critical and financial systems, and the use of a variety of tools and methods to manage access to, and maintain the integrity of, our information systems. Our employees are critical in helping mitigate our cybersecurity risk and we continue to raise awareness and engagement through our formal training, frequent phishing campaigns and communication from our information security team with reinforcement from senior leaders across the Company. We also perform annual external penetration tests to identify certain potential vulnerabilities, and maintain a business continuity plan, which is tested annually.
The Company engages third parties to test and advise on the Program, including to conduct our annual external penetration test. At times, the Company may engage external experts to support the Program by, for example, facilitating an internal audit, advising on a cybersecurity incident, or advising on legal and regulatory requirements.
The Company has processes to identify risks from cybersecurity threats associated with its use of third-party service providers. Each third-party service provider is evaluated at onboarding for compliance with our cybersecurity standards. Risks identified through this assessment are logged and remediation plans are discussed with appropriate stakeholders.
Cyber Incident Response Plan
The Company has adopted a written Cyber Incident Response Plan (the “Plan”) to guide our response to cybersecurity incidents. The Plan established the Cyber Incident Response Team (“CIRT”), which is responsible for leading the Company’s response in the event of a cybersecurity incident and is comprised of the Company’s Chief Technology Officer (“CTO”) and Chief Operating Officer as well as other senior management.
Cybersecurity Risks
We do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, as discussed more fully in “Part I. Item 1A. Risk Factors—Risks Relating to Our Business—Our business is subject to various cybersecurity and other operational risks” of this filing, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cybersecurity incidents may be insufficient. Accordingly, our controls and procedures may not be able to address or limit all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.
Cybersecurity Governance
Board Oversight
Our full Board retains responsibility for the oversight of management’s role in assessing and managing cybersecurity risk. The Board is aware of the threats presented by cybersecurity incidents and is committed to taking measures to help prevent and mitigate the effects of any such incidents. The Company’s management team and CTO report, at least twice annually, to the Board on risks and issues including to evaluate the status of our cybersecurity efforts. The Board also discusses cybersecurity issues with external experts.
Management Oversight
In January 2024, the Company established a Cybersecurity and Technology Risk Committee (the “Cybersecurity Risk Committee”), comprised of our CTO and senior managers from across the Company. The Cybersecurity Risk Committee has responsibilities that include managing, monitoring and coordinating the Company’s cybersecurity and technology risk management and any required remedial or corrective actions; reviewing the effectiveness of the ISP and serving as the primary escalation point for cybersecurity matters under the ISP.
27
The Cybersecurity Risk Committee reports to the Operational Risk Committee which is part of our overall risk management framework. The Operational Risk Committee is responsible for incorporating risk management considerations into our business activities. The Operational Risk Committee reports to the Executive Committee, our principal management-level policy-making committee that reports directly to the Board. Under the Plan, the Executive Committee is responsible for escalating and informing the Board about significant cybersecurity incidents and steps being taken by management to address them.
Our CTO leads management’s efforts to assess and manage cybersecurity risks through execution and enforcement of the Program, implementation of the ISP, reporting cybersecurity risks to senior managers of the Company, and meeting at least twice annually with the Board to discuss cybersecurity risks. The CTO works closely with the Company’s Executive Committee and other senior managers, including through his participation in the Cybersecurity Risk Committee, Operational Risk Committee, and CIRT.
In addition to the processes described above, our CTO leads a team of information security specialists to assist him meeting his responsibilities. He leads dedicated cybersecurity meetings with this information security team and regularly reviews key cybersecurity metrics. The information security team monitors public cybersecurity threats and meets with external experts periodically to review these threats and to stay abreast of the evolving threat landscape. Our CTO brings over 30 years of technological expertise to the Company, with a background deeply rooted in data management and protection, data analytics, and artificial intelligence and brings extensive experience in information security strategy and risk management from his previous roles at a global investment bank.