VIRTUS INVESTMENT PARTNERS, INC. - (VRTS)
10-K Filing Date: February 28, 2024
Item 1C.Cybersecurity
Cybersecurity Strategy and Risk Management
We maintain a cybersecurity and information protection program that is supported by policies and procedures designed to protect our systems and assets and the Company’s sensitive or confidential business information, including that entrusted to us by our clients and business partners. Identifying and assessing cybersecurity risk is integrated into our overall enterprise risk management (“ERM”) processes. Our ERM processes consider cybersecurity threat risks alongside other company risks as part of our overall management activities. Cybersecurity risks related to our business are identified and managed though a multi-faceted approach utilizing various systems, controls, and processes.
We maintain a layered security architecture as a key part of our infrastructure design and utilize our employees and managed third-party service providers to help ensure a secure environment and safeguard against a variety of threats including malware, systems intrusions, unauthorized access, data loss and other security risks. We have implemented various technology products and associated procedures, including, among others, the following:
▪Firewall protection, operating system security patches, and multi-factor authentication;
▪System security agent software, which includes encryption, malware protection, patches and virus definitions;
▪Monitoring of computer systems for unauthorized use of or access to sensitive information;
▪Web content filtering;
▪Web and network vulnerability assessments and penetration testing;
▪Monitoring emerging laws and regulations related to data protection and information security;
▪Hosting in-house production systems in geographically dispersed locations that are backed up to alternate locations; and
▪Employee cybersecurity awareness training that includes regular phishing simulations.
As part of the above processes, we engage various professional services firms that use external third-party tools to assess our internal cybersecurity programs and compliance with applicable practices and standards. Our use of these third parties allows us to leverage specialized knowledge, insights and industry best practices.
The Company’s processes to identify material risks from cybersecurity threats associated with our use of third-party service providers are included within our service provider management policy. The policy provides guidelines in performing cyber risk assessments on our critical and material third party service providers during onboarding and periodically thereafter.
The assessment of cybersecurity incidents are integrated as part of the Company's business continuity and disaster recovery program (“BCDR”). Our BCDR includes an incident response protocol that provides a framework for the assessment, response, and recovery phases for any business disruption, including cybersecurity incidents. It also incorporates various event, incident and response teams that comprise the Company's information security, risk management, compliance, legal and other functions as needed in response to any cybersecurity incidents. Our incident response protocol also provides for reporting mechanisms to senior management and our Board of Directors in the event of a material cybersecurity incident.
We have not had a cybersecurity incident that has materially affected, or was reasonably likely to, materially affect, our business strategy, results of operations or financial condition. There are risks from cybersecurity threats that if they were to occur could materially affect our business strategy, results of operations or financial condition which are further discussed in Item 1A. “Risk Factors—Risks Related to our Industry, Business and Operations—We and our third-party service providers rely on numerous technology systems and any business interruption, security breach, or system failure could negatively impact our business and profitability” of this Annual Report on Form 10-K, which should be read in conjunction with the information in this section.
Cybersecurity Governance
Our Board of Directors ("Board") oversees our risk management processes, including our risks from cybersecurity threats. As part of its ongoing responsibilities, the Board receives recurring reports from management on the Company’s cybersecurity risk environment and regularly meets with management to review the risk landscape and discuss the steps taken by management to monitor and mitigate cyber exposures. In addition, from time to time, our Chief Technology Officer and Chief Information Security Officer (“CISO”) brief the Board on the cyber-threat landscape, our information security program and other related information technology topics.
The Company maintains an Enterprise Risk Committee (“ERC”), comprising the Company executives who lead day-to-day risk management, and whose efforts are supplemented by specific risk-related committees or teams. The ERC is a cross-
16
functional committee that focuses on identifying and managing operational risk throughout the organization, including cybersecurity threats. The ERC has integrated cybersecurity into key elements of the Company’s ERM framework, including our BCDR planning program and service provider management policy, and personnel from our information security, risk management, compliance and legal groups are a part of the assessment and response team for cybersecurity incidents and the evaluation of third-party cybersecurity risk.
Our cybersecurity systems, controls and processes are overseen by our cybersecurity information technology team which is managed by our CISO. Our CISO has over 25 years of experience in the information technology and cybersecurity field and is a Certified Information Systems Security Professional.