SS&C Technologies Holdings Inc - (SSNC)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

Our information security processes are designed to assess, identify and manage material risks from cybersecurity threats. In conducting our business activities, we are entrusted with confidential information from our clients, business partners and employees. Confidential information may include sensitive business and technical information, as well as personal information. Our Information Security Management System (“ISMS”), based on ISO/IEC27001, is an integral part of our overall enterprise risk management system, and serves as a framework for handling cybersecurity threats and incidents, including such threats and incidents associated with our use of services by information technology suppliers. The ISMS is operated by our Global Information Security team headed by our Global Chief Information Security Officer (“CISO”). We maintain physical, electronic and procedural safeguards designed to guard confidential information contained within our information systems from loss, misuse, unauthorized access, disclosure, alteration or destruction. We have layered defenses designed to protect against intrusions that could affect the confidentiality, integrity and availability of information.

35

 


 

We prepare for security incidents by analyzing threat intelligence, holding periodic cybersecurity incident tabletop exercises, and reviewing lessons learned on a regular basis. Our incident management process is communicated to employees during periodic security awareness training. Our employees are trained to report incidents, including security weaknesses, malfunctions, threats and breaches immediately to the concerned internal departments and to our information security group. Our computer security incident response team is trained to manage incident response.

We conduct systematic and manual assessments designed to identify information security vulnerabilities, such as external party penetration tests, internal manual penetration tests, source code scanning and other techniques. We perform information technology risk assessments on a periodic basis designed to detect risks for which controls and mitigation strategies are developed.

We engage with external experts, including cybersecurity assessors and consultants, in evaluating and testing our information systems and information security controls, enabling us to obtain specialized knowledge and insights.

We perform information technology supplier risk assessments on a periodic basis. Information technology suppliers to SS&C that access, process or store personal information or other customer data are assessed and are also subject to periodic due diligence procedures.

Cybersecurity risk is overseen by the board of directors, with additional oversight of the relevant risk framework and controls provided by the Audit Committee. The Audit Committee oversees our policies with respect to risk assessment and risk management generally, including guidelines and policies to govern the process by which our exposure to risk is handled. As set forth in its charter, Audit Committee oversight includes periodic review of our information security controls and procedures and the processes and procedures for managing cybersecurity risks.

Our CISO, who reports to SS&C’s Chief Technology Officer, provides periodic updates to the Audit Committee or to the board of directors on cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents, industry trends and other areas of importance.

Our CISO is responsible for our overall information security strategy, policy, security engineering, operations, cybersecurity threat detection and response. Our CISO has over 20 years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other companies. Cybersecurity team members provide regular reports to our CISO with respect to the prevention, detection, mitigation and remediation of cybersecurity incidents, and otherwise aid our CISO in operating the ISMS. Cybersecurity team members have relevant education, certifications, and industry experience.

We, our clients and our vendors are regularly the target of attempted cyber-attacks, and we must continuously monitor and develop our systems to protect our technology infrastructure and data from misappropriation or corruption. Such cybersecurity incidents could lead to disruptions in our systems; the unauthorized release or destruction of our or our clients’ or other parties’ confidential or otherwise protected information; and corruption of data. We regularly re-evaluate, modify and enhance our information security processes as new technologies emerge or new risks are identified. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See “Risk factors - Risks Relating to Our Business - Our software-enabled services may be subject to disruptions, attacks or failures that could adversely affect our reputation and our business.” for more information about these risks.