Interactive Brokers Group, Inc. - (IBKR)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY

As part of our overall risk management framework, we have processes in place to identify, assess, and manage material risks from cybersecurity threats.

Cybersecurity Program Overview

Our cybersecurity program is designed to identify, assess, and manage cyber risks. The program involves risk assessments, implementation of security measures, and ongoing monitoring of systems and networks. We continually evaluate the current threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats.

We engage external experts, including cybersecurity assessors, consultants, and auditors to evaluate cybersecurity measures and risk management processes.

Where we engage or rely on third parties, including suppliers, vendors, and service providers, our information security personnel have processes in place to identify and manage risks from cybersecurity threats associated with our use of such third parties.


35


Board Oversight of Cybersecurity Risks

Our Board of Directors receives periodic updates on cybersecurity matters from our Chief Executive Officer (based on consultation with our Chief Information Security Officer (“CISO”) and other senior members of our Information Security and/or Technology teams). In addition, a member of senior management responsible for the Company’s Information Security team provides an annual briefing to our Board of Directors regarding the overall state of our cybersecurity program, information on the current cybersecurity threat landscape, risks from cybersecurity threats and any cybersecurity incidents that are reasonably likely to materially affect, or which have materially affected, the Company.

Management's Role in Cybersecurity Risk Management

The Company’s management, including the Company’s Chief Information Officer, Executive Vice President of Technology, and CISO, are responsible for assessing and managing material risks from cybersecurity threats. Members of Company management possess relevant expertise in various disciplines that are key to effectively managing such risks. Specifically:

Dr. Thomas Frank, Executive Vice President and Chief Information Officer: Dr. Frank has been with the Company since 1985 and was instrumental in the development of the Company’s early market making systems. Dr. Frank became Chief Information Officer in 2006. Dr. Frank is responsible for the Company’s technical infrastructure and operations and information security, among other duties. Dr. Frank is a member of the Board of Directors of OCC. Dr. Frank received an S.B. and a Ph.D. in Physics from the Massachusetts Institute of Technology.

Somayajulu (Soma) Bulusu, Executive Vice President of Technology: Mr. Bulusu joined the Company as EVP of Technology in February 2024. Mr. Bulusu has over 25 years of experience in engineering, product, and service delivery. Mr. Bulusu joined the Company from Chewy, Inc., where he led the Information Technology and Engineering teams. His previous roles include leadership positions at Amazon, Nuance, and TouchCommerce.

Dr. Boris Kogan, Chief Information Security Officer: Dr. Kogan has served as the Company’s Chief Information Security Officer since 2016. Dr. Kogan has over 20 years of cybersecurity management experience in the financial services sector. Earlier in his career, after obtaining a Ph.D. in Computer Science from Princeton University, Dr. Kogan served on the faculty of George Mason University, where he conducted government-sponsored research in cybersecurity.

The Company’s management, including through its oversight of the Company’s policies and procedures regarding cybersecurity, is actively involved in the prevention, detection, mitigation, and remediation of cybersecurity incidents impacting the Company. Management’s oversight is augmented through the Company’s Enterprise Risk Management Framework, which includes risk and control assessments related to the Company’s cybersecurity program. Additionally, the Company’s Internal Audit Group periodically audits aspects of the Company’s cybersecurity program and provides reports to the Board’s Audit Committee, and an external audit firm conducts an annual SOC 2 attestation of the Company’s information security controls.

Assessment of Cybersecurity Risk

The potential impact of risks from cybersecurity threats to the Company is assessed on an ongoing basis. During the reporting period and through the issuance of this Annual Report on Form 10-K, the Company has not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that the Company believes have materially affected, or are reasonably likely to materially affect, the Company, including its business strategy, operational results, and financial condition. For additional information about cybersecurity risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

36