10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Envestnet’s Information Security Program uses a risk-based approach to assess, identify and manage material risks from cybersecurity threats and is an integral part of our enterprise risk management program and processes. The Information Security Program is complemented by our business continuity and disaster recovery planning controls. Envestnet’s Group Head, Cybersecurity/Information Security Officer is a member of the firm’s Risk Management Committee.
We regularly update our enterprise-wide Information Security Program to align with industry best practices and applicable regulations. Envestnet’s Information Security Program includes a policy framework that leverages elements from National Institute of Standards and Technology Cybersecurity Frameworks, NIST 800-53 Standards, ISO 27001, Cloud Security Alliance, and other relevant industry best practices to protect the confidentiality, availability, and integrity of our data and systems.
Directed by Envestnet’s Group Head, Cybersecurity/Information Security Officer, the Information Security team defines, implements and monitors our Information Security Program. We review and approve our security policies, procedures, and standards annually or whenever material updates are made during the year. Moreover, we undergo SOC 1 Type 2, SOC 2 Type 2, and PCI-DSS (where applicable) audits on multiple technology platforms.
In addition to our Information Security team, we use third-party vendors to help address material risks from cybersecurity threats. Among other things, third parties conduct security assessments, monitor endpoint security, probe our defenses, and conduct cybersecurity exercises. We also leverage third-party providers to aid management to detect, respond and recover in the event of a cyber incident.
To keep information security risks related to suppliers and other third parties within an acceptable range, Envestnet has a third-party oversight program. This program categorizes our third parties, assesses the potential impact of a compromise of Envestnet data and other resources in relation to the third-party’s engagement and manages the risk associated with third parties. This risk management includes understanding whether the third-party has required controls in place, whether it has vulnerabilities that need to be managed before beginning work with us and what residual risks will remain and require acceptance or further decision making.
Risks from Cybersecurity Threats
No risks from cybersecurity threats materially affected Envestnet’s business strategy, results of operations or financial condition during the year that ended December 31, 2023. Moreover, such risks do not appear to be reasonably likely to affect our business strategy, results of operations or financial condition.
Board of Directors’ Oversight of Risks from Cybersecurity Threats
Envestnet’s Board of Directors maintains regular oversight of risks from cybersecurity threats. In particular, its Compliance and Information Security Committee reviews, assesses, and makes recommendations to our Board about our regulatory compliance programs and information technology security framework, including cybersecurity threats. This includes receiving regular reports from the Information Security team on audits, security issues, changes in risk postures and regulatory matters. The Compliance and Information Security Committee also oversees selection of Envestnet’s independent security
assessors and reviews their reports. The Committee is authorized to request that any Envestnet director, officer, employee, outside counsel or independent auditor attend a meeting of the committee or meet with any of its members or advisors.
The majority of the directors who serve on the Compliance and Information Security Committee must be independent. The Committee meets quarterly and on an ad hoc basis.
Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
Envestnet’s senior management assesses and manages material risks from cybersecurity threats through its Information Security Management Committee. The Information Security Management Committee provides direction, management, support and sponsorship associated with information security. Chaired by Envestnet’s Group Head, Cybersecurity/Information Security Officer, the Information Security Management Committee consists of Envestnet’s Executive and Senior management from Operations, Legal, Compliance, Systems, Business, Human Resources and Finance.
Our Group Head, Cybersecurity/Information Security Officer has a total of more than 28 years of experience in cybersecurity, technology and information technology roles with financial services, technology and consulting companies. She joined Envestnet in 2020.
The Information Security Management Committee's responsibilities include, but are not limited to:
•Setting, reviewing and supporting the components of the Information Security Program;
•Monitoring significant risk trends and proposing changes to controls and policies, as appropriate;
•Ensuring that information security is resourced and prioritized;
•Ensuring the proper execution of risk management activities;
•Establishing and maintaining a culture that promotes information security;
•Reviewing and evaluating the implementation and effectiveness of the Information Security Program through regular external and internal assessments;
•Maintaining cybersecurity incident response preparedness;
•Providing support for and visibility to information security initiatives; and
•Coordinating with the Information Security team to provide regular reports to the Compliance and Information Security Committee of the Board of Directors about audits, security issues, changes in risk postures and regulatory matters, among other cybersecurity topics.