PIPER SANDLER COMPANIES - (PIPR)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.
As a trusted advisor to our clients and a regulated financial services firm, information and cybersecurity are critical to our operations and reputation. Our management team takes an active role in identifying, assessing, monitoring and managing material risks from information and cybersecurity threats. Management’s assessment of information and cybersecurity threats is incorporated into our enterprise risk management processes, which include assessing inherent risks posed by the internal operating environment and external factors, assessing the adequacy and design of controls, testing controls, determining residual risk and comparing it to risk appetite thresholds, and taking steps to further mitigate risks as needed. Our board of directors is actively engaged in the oversight of cybersecurity and information technology risks, with primary oversight responsibility delegated to the audit committee of the board of directors. The audit committee is composed of board members with the appropriate expertise, including risk management, cybersecurity and finance, to oversee these risks as well as management's cybersecurity processes and protocols.
Our chief information and operations officer is a member of our leadership team and has been in this role for 15 years. With more than 25 years of experience in information technology in the investment banking industry, he is responsible for overseeing more than 100 employees in our information security and technology departments who possess relevant educational and industry experience. The information security and technology departments are responsible for various functions of our information and cybersecurity program, including implementing and maintaining policies and procedures; developing, implementing and governing various service level agreements; ratifying security standards; reviewing project implementations; performing third-party vendor assessments; and operating programs such as threat intelligence, vulnerability management, security information event management, and information governance.
Our information and cybersecurity program utilizes the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, and our security controls are mapped to the NIST Cybersecurity Framework to ensure alignment with recognized industry best practices. Annually, we engage a third-party consultant to conduct an assessment of the effectiveness of our information and cybersecurity program against the NIST Cybersecurity Framework. This assessment is reviewed with the audit committee, and opportunities for further maturation are incorporated into our information and cybersecurity roadmap.
Additionally, we regularly engage consultants and other third parties to evaluate specific priority areas of our information and cybersecurity program based on our assessment of the current cybersecurity threat landscape. Examples of our engagement with consultants include external penetration testing, application security assessment and cybersecurity incident response tabletop exercises.
Our third-party vendor management program has a tiered approach to assess vendors based on risk profile. We review each third-party vendor’s architectures, security practices and data flows, and integrate stringent contractual terms encompassing breach notifications and other security requirements. The risk profiles associated with our service level agreements are monitored by senior employees in our information security and technology departments. Our vendor management program also includes an annual reassessment of the risk profile of each vendor and interim vendor reviews are completed if service alterations occur.
Senior information security and technology employees, including the chief information and operations officer, meet regularly to discuss potential information and cybersecurity threats that have been identified by our systems, employees or otherwise made known to us by our third-party service providers, vendors and other external users, and to formulate the appropriate response to any identified material information and cybersecurity threats. When high-priority information or cybersecurity risks are identified, certain employees in our information security, privacy, technology, legal and compliance departments meet or communicate to review potential threats in accordance with our internal cybersecurity incident response process.
Potential threats, our response to such threats, and our evaluation of any residual risk are communicated quarterly to the audit committee. As necessary, the chief information and operations officer provides interim updates to the audit committee and, as appropriate, the board of directors, concerning high-priority or material information or cybersecurity threats. Our chief information and operations officer also provides a quarterly update to the audit committee regarding our ongoing information and cybersecurity initiatives; the current cybersecurity landscape and emerging threats; and metrics on the effectiveness of certain aspects of our information and cybersecurity program.
Piper Sandler Companies | 23
Employees, including representatives of management, conduct an annual cybersecurity incident response tabletop exercise to review our processes and procedures in the event of a material information or cybersecurity incident, including the process for assessing the materiality of an incident and communication of an incident to the audit committee and, as appropriate, the board of directors. In addition, to promote a company-wide culture of cybersecurity risk management, we conduct regular phishing email simulations for employees to enhance awareness and responsiveness to possible threats and other kinds of preparedness training. We also require all employees to complete an annual cybersecurity and privacy awareness training.
We believe that we have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, as well as controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
We are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect our company, including our business strategy, results of operations or financial condition. However, we cannot provide assurance that a future cybersecurity incident would not materially affect our business strategy, results of operations or financial condition. Additional information regarding risks related to cybersecurity is included under "Risk Factors" in Part I, Item 1A of this Form 10-K.