CME GROUP INC. - (CME)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
As a highly regulated global financial services company, we understand the substantial operational risks for companies in our industry as well as the importance of protecting the information and data of our clients and employees. As such, our Global Informational Security (GIS) Program is designed and operated to mitigate information security risks and threats to the company. Its intent is to safeguard the confidentiality, integrity and availability of our information and services. The GIS Program is designed to strengthen the integrity of the global markets we support, protect CME Group’s information assets, maintain client and employee trust, support our pursuit of strategic objectives, contribute to shareholder value and preserve our reputation and brand. We implement technical, physical and administrative safeguards to protect the confidential and sensitive information of our clients, employees and other information under CME Group’s stewardship. We manage cybersecurity risk to the organization as part of our business strategy, risk management and financial functions in alignment with our overall Enterprise Risk Management Program and regularly engage with the risk committee of the board of directors and the board of directors as a whole regarding the effectiveness of the GIS Program.
The GIS Program is led by CME Group’s Chief Information Security Officer (CISO), who has worked in various roles in information security for over 20 years, and has led our GIS Program for more than four years since joining the company in 2016 in a senior role in GIS. The CISO reports to our Chief Information Officer (CIO), a member of our Management Team. Our GIS team is comprised of over 200 full-time employees, many of which hold cybersecurity, risk, or management certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, Certified in Risk and Information Systems Control, Series 99, Certified Information Systems Auditor, Project Management Professional, various cloud provider certifications and various levels of ITIL certifications. As part of our GIS Program, CME Group operates a state-of-the-art Cyber Defense Center that virtually links 24/7 to our international operational cybersecurity teams and serves as a global hub for cybersecurity risk management activities, including log collection, event monitoring, threat detection and incident response, resiliency, operations, vulnerability management and the proactive collection and processing of
26

both open source and proprietary threat and intelligence feeds allowing the company to efficiently manage, investigate and respond to cybersecurity events. Our GIS team conducts analyses and aims to prevent, detect and respond to systemic events that might threaten our company, industry or the economy.
The GIS Program includes a Cyber Defense team, which manages the Incident Response Plan (IRP). This Cyber Defense team consists of subject matter experts from GIS and Information Governance, who work together to monitor and respond to cybersecurity incidents. The IRP outlines our cyber and incident response policies and governs our incident response lifecycle, which divides overall incident response into serial phases. The Crisis Management Team (CMT) is responsible for oversight during an incident, in conjunction with the Cyber Coordination Team (CCT). The CCT manages responses to cybersecurity and compliance incidents, collaborating with subject matter experts (SMEs) from various departments in response to specific incidents. When an incident reaches a certain threshold of severity, our CISO and CIO escalate the matter to our Chief Operating Officer, who is another member of our Management Team, to determine next steps, as well as possible customer and external communication. Throughout the incident response process, the Legal team is engaged, as appropriate, and helps consider whether disclosure is required once a determination is made in connection with the company’s leadership and the CMT.
We identify, assess and manage material risks from cybersecurity threats through our GIS Program as follows:
We deploy a defense-in-depth strategy, acknowledging the importance of people, processes and technology in upholding information security. The strategy incorporates multiple layers of controls, including, monitoring, vulnerability management, identity and access management and security assessments.
Our program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST) and other technical standards and frameworks.
We have a robust cybersecurity defense response plan that provides a documented framework for handling security incidents and facilitates coordination across multiple parts of the company.
We invest in threat intelligence and operate a state-of-the-art Cyber Defense Center, which acts as our hub of information sharing and threat intelligence analysis.
We incorporate external expertise and reviews into our cybersecurity risk management program and continue to engage a leading professional consulting firm to assist our company in incorporating cybersecurity best practices.
We provide annual cybersecurity awareness and ongoing phishing training, such as routinely performing cybersecurity attack simulation exercises, which includes participation from various levels of management.
Following a risk-based approach, we conduct due diligence reviews of our third party providers for potential cybersecurity risks to the company. Our Enterprise Risk Management (ERM) team oversees our Third Party Risk Management (TPRM) program, which partners with our GIS, Information Governance, and Operational Resilience groups to manage and monitor third party risk of CME Group vendors and certain third parties of customers (fourth parties). The teams monitor cyber-related incidents and known third party vulnerabilities with the goal of enhancing processes, improving risk management and partnering on exit planning and testing for certain vendors associated with essential functions.
We have insurance against certain cybersecurity and privacy risks and attacks.
We are an active participant in the financial services industry and government forums and information sharing programs, designed to improve both internal and sector cybersecurity defense. These valuable external partnerships are established and maintained in order to gain more timely, comprehensive and actionable threat information across geographies and industries and to facilitate the exchange of best practices and security techniques. They allow for a high degree of collaboration and cooperation with local, state, federal, and international law enforcement and intelligence agencies, industry groups, and other private sector chief information security officers.
We regularly test the design and effectiveness of our information security controls and processes through a program of testing performed by internal and independent third-party teams. Gaps and opportunities identified through testing are assigned to certain members of management and tracked through to closure. Testing activities support a variety of regulatory requirements and external industry certifications held by CME Group.
27

The board provides oversight of cybersecurity risks and has designated primary responsibility to the risk committee who oversees our information security programs, including cybersecurity, and is actively involved in monitoring the progress of key cybersecurity initiatives. Our board and risk committee receive regular updates on the activities and effectiveness of our GIS Program, including reports on incident response plan testing exercises and results of compliance testing and third-party evaluation results. Our CISO provides quarterly, or as needed. reports and updates to our board and risk committee on the company's cybersecurity risk management program and meets with the risk committee at least annually in a private session. The CISO has an indirect reporting line to the risk committee. We also engage with a leading professional consulting firm to provide regular updates to the board on cybersecurity-related risks in the evolving threat landscape and to provide education on best practices for board oversight of our GIS Program.
Historically, and at the time of this filing, we have not experienced cybersecurity incidents that were deemed by the company to be material individually or in the aggregate, or reasonably likely to be material, but we have experienced cyber attacks of varying degrees in the past.
See "Item 1A - Risk Factors" beginning on page 16 for additional information on cyber attacks and other cybersecurity risks the company faces.