Lazard, Inc. - (LAZ)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Our business is highly dependent on electronic information resources used for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our and our clients’ information, which we refer to as “information systems”, including our computer systems, hardware, software and networks and those of our third-party vendors and service providers. Our operations rely on the secure processing, storage and transmission of confidential and other information by our information systems and those of third parties.
Lazard maintains a formal, robust cybersecurity and information security program that is aligned with the National Institute of Standards and Technology Cybersecurity Framework (“CSF”) and integrated into our overall risk management process. Our Information Security Program, Policies and Standards are also designed to comply with the financial regulations and cybersecurity laws in the jurisdictions in which we operate. By focusing on the following four interconnected pillars, we aim to reduce the impact of cybersecurity incidents, safeguard our digital assets and foster a proactive and comprehensive approach to cybersecurity within our organization.

Risk assessments and mitigation strategies
Conduct regular risk assessments to identify and prioritize critical assets and vulnerabilities, both internally and with respect to third-party risks.
Develop and implement appropriate mitigation strategies based on risk assessments.
Monitor and evaluate the effectiveness of risk mitigation measures.
Professional cybersecurity staff
Retain and recruit skilled cybersecurity professionals.
Provide regular training and development opportunities.
Foster collaboration and knowledge sharing among cybersecurity team members.
Security-aware organizational culture
Maintain policies and procedures for reporting and responding to cybersecurity incidents.
Empower employees to take ownership of their cybersecurity responsibilities.
Promote a security-aware culture throughout the organization through regular training and awareness programs.
Security technology
Implement and maintain robust cybersecurity technologies, including advanced threat detection, prevention and response tools.
Regularly evaluate and update our suite of cybersecurity technology to address emerging threats and vulnerabilities.
Integrate cybersecurity technologies with other systems and processes.

Third-Party Monitoring and External Reviews
As noted above, our business regularly uses and relies on third-party information systems and services to process, store and transmit confidential and other information. To support our cybersecurity oversight of third-party information technology providers, we have integrated automated processes to manage third-party cloud security. We also use an enterprise-wide third-party technology provider to assist in our identification and assessment of cybersecurity risks to the Company presented by third parties, and our contracts are vetted by our internal legal and compliance departments as part of a process designed to ensure that we are provided the right to audit and test the security and quality of each of our vendors. As part of our screening and evaluation processes, we conduct due diligence on our potential vendors, as well as regular assessments of current vendors, regarding compliance with law (including financial regulations, sanctions regimes and data privacy regulations) and cybersecurity standards, including background checks and system tests.

35


Our Chief Information Security Officer (“CISO”) regularly engages independent third parties to assess the performance of our cybersecurity risk management systems and procedures and to help test and identify cybersecurity risks to the Company. Annually, we engage an independent third-party to perform a comprehensive review of our cybersecurity programs, with the aim of ensuring alignment with the current version of the CSF. In addition, we engage several other third parties at regular intervals for targeted assessments of specific cybersecurity risk management systems, tools, vendors and processes. Among other things, tests include simulations of communications shared with affected stakeholders on security events and identification of vulnerabilities. These third-party audits and assessments are used by management to review, update and improve our cybersecurity risk management systems and identify vulnerabilities. Results and recommendations are reported to our CISO, who reports to our General Counsel. Material findings are presented to the Global Risk Committee (“GRC”), Audit Committee and the full Board as discussed below.
Cybersecurity Management Team and Board Oversight
Lazard’s cybersecurity program, which includes information security, is the primary responsibility of our CISO, who oversees our global information security strategy and program and is supported by our Information Technology and Information Security departments. The Company’s current CISO has held the position since 2015 and has been working in technology risk management since 1991. The CISO holds a bachelor’s degree from New York Institute of Technology and is an accredited Certified Information Systems Security Professional. Our CISO leads our Cybersecurity Incident Handling Team (“CSIHT”), to which cybersecurity threats and cybersecurity incidents are reported. The CSIHT manages the Company’s response to cybersecurity threats and cybersecurity incidents, including the prevention, detection, analysis, containment, eradication and recovery thereof.
The CISO reports monthly to the GRC, which includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”) and General Counsel, among other members of senior management, regarding cybersecurity incidents from the preceding month.
Our Internal Audit department regularly assesses and reports to the Audit Committee on the effectiveness of our cybersecurity and information technology controls. Our Audit Committee reviews the Company’s cybersecurity risk profile and risk management strategies at regular intervals. Our CFO reviews with the Audit Committee categories of risk the Company faces, including cybersecurity risks, as well as the likelihood of the occurrence of cybersecurity risks, the potential impact of those risks and the steps management has taken to monitor, mitigate and control such risks. In addition, our CISO reports at least annually to the Board, and at least quarterly to the Board’s Audit Committee, with respect to cybersecurity risks, including those identified through review of our business, of rising threats in the industry, and of the current state of Lazard’s cybersecurity program. Updates on cybersecurity risks are reviewed at regular meetings of the Audit Committee and reported to the full Board.
Incident Response and Assessment Policies and Procedures
Lazard has implemented policies and procedures to protect the firm from any interruptions to the availability of our data and our systems and to protect the firm’s and our clients’ data from intentional and unintentional disclosure, including disclosure arising from a range of cybersecurity threats. These policies and procedures outline actions to be taken after identifying suspected cybersecurity threats and cybersecurity incidents and designate the persons responsible for managing those actions.
Our disclosure controls and procedures provide for the CSIHT to report high severity cybersecurity incidents to an Assessment Committee, consisting of our CFO, CISO and General Counsel, among others, for an assessment of materiality. The Assessment Committee in consultation with third-party experts, as warranted, makes the incident materiality determination consistent with SEC guidance and by considering relevant quantitative and qualitative factors, including without limitation:
the probability of an adverse outcome;
the potential impact on financial results;
the likelihood of litigation or regulatory investigations; and
the potential impact on the Company’s reputation and competitiveness.
A determination that a cybersecurity incident has, or is reasonably likely to have, a material impact on the Company is reported by the Assessment Committee to the CEO and the Board’s Audit Committee without delay. The Assessment Committee also provides a summary of all incidents that are determined to be immaterial to the Board’s Audit Committee at the next scheduled meeting.

36


For additional information regarding how cybersecurity threats or incidents are reasonably likely to materially affect our business strategy, results of operations or financial condition, see “Risk Factors—A failure in or breach of our information systems or infrastructure, or those of third parties with which we do business, including as a result of cybersecurity incidents or threats, could disrupt our businesses, lead to reputational harm and legal liability or otherwise impact our ability to operate our business” and “Risk Factors—Other operational risks may disrupt our businesses, result in regulatory action against us or limit our growth.”