FEDERATED HERMES, INC. - (FHI)
10-K Filing Date: February 23, 2024
ITEM 1C – CYBERSECURITY
The operating systems of Federated Hermes, and its offerings, customers, shareholders, and service providers are dependent on the effectiveness of information security policies and procedures (both at Federated Hermes and at third parties, such as its service providers) which seek to ensure that such systems are protected from cybersecurity incidents. Federated Hermes has established a robust cybersecurity program aimed at assessing, identifying and managing material risks from cybersecurity threats.
Federated Hermes’ board of directors has ultimate oversight responsibility for cybersecurity risks and threats. Federated Hermes’ Audit Committee assists its board of directors in monitoring cybersecurity risks and threats. Federated Hermes’ board of directors and Audit Committee receive reports on cybersecurity matters on a periodic (generally quarterly) basis (and more frequently when circumstances warrant) as part of risk management oversight responsibilities. For instance, in 2023, Federated Hermes’ Chief Information Officer (CIO) reported to Federated Hermes’ board of directors one time and its Audit Committee three times regarding cybersecurity risks and threats. The Audit Committee also receives reports from Federated Hermes’ internal auditors, legal counsel and other responsible officers regarding cybersecurity topics and trends. The Federated Hermes Chief Risk Officer (CRO) also reports directly to the Compliance Committee of Federated Hermes’ board of directors on a quarterly basis and Federated Hermes’ full board of directors as appropriate on significant enterprise risks, including cybersecurity risks.
Federated Hermes’ Global Technology Organization (GTO), which is headed by Federated Hermes’ CIO, has a dedicated Information Security Group (ISG) responsible for day-to-day oversight of the cybersecurity program. The ISG, which is headed by Federated Hermes’ Chief Information Security Officer (CISO), coordinates cybersecurity activities with Federated Hermes’ business functions and third-party service providers. The ISG also oversees and coordinates cybersecurity efforts with counterparts at FHL. Federated Hermes’ Information Security and Data Governance Committee (ISDG) provides executive management oversight of the ISG and Federated Hermes’ cybersecurity program. Federated Hermes’ Chief Compliance Officer (CCO), CRO and General Counsel, as well as Federated Hermes’ CIO, CISO, Chief Financial Officer, and other senior members of Federated Hermes’ management, are members of, and Federated Hermes’ Chief Audit Executive attends meetings of, the ISDG.
The ISDG’s primary functions are to: (1) serve as a governing body to support Federated Hermes’ cybersecurity, information security and data governance practices and efforts; (2) address cybersecurity and information security matters and data governance matters critical to Federated Hermes, including risks; (3) oversee written policies and procedures reasonably designed to (a) comply with applicable legal requirements, and (b) maintain appropriate cybersecurity, information security and data governance practices; (4) promote evaluation of Federated Hermes’ strategies for cybersecurity, information security and data governance against industry practices and applicable regulatory requirements and guidance; and (5) serve as a liaison for discussions concerning cybersecurity, information security and data governance with various Federated Hermes committees or governing bodies, management, and Federated Hermes’ board of directors. The ISDG receives updates quarterly on relevant cybersecurity and data governance matters, such as recent cybersecurity matters, phishing test results, cybersecurity training, GTO and ISG staffing, FHL’s cybersecurity program, regulatory developments, and enterprise data governance and strategy.
Federated Hermes’ Enterprise-Wide Risk Management Committee (ERC), which is chaired by Federated Hermes’ CRO, oversees Federated Hermes’ company-wide enterprise risk management program. The ERC includes department heads from across Federated Hermes and implements the processes established to identify, report and monitor material risks facing the Company, including cybersecurity risks.
Federated Hermes maintains a written cybersecurity program protocol, along with ancillary policies and procedures, which set forth the key features of the cybersecurity program. These policies and procedures strive to reflect what Federated Hermes believes are best practices for assessing, identifying and managing cybersecurity risks and are reviewed and updated on a regular basis.
Under Federated Hermes’ cybersecurity program, Federated Hermes conducts regular threat identification and assessment exercises. Some of these exercises involve the use of third-party cybersecurity experts, who assist with, among other things, system penetration testing and system design. Information gained from such exercises is used to develop and refine protective and detective strategies and tactics. Federated Hermes’ information systems and assets are also monitored to identify cybersecurity incidents and verify the effectiveness of existing protective measures. New protective measures are deployed from time to time as threats evolve. Some of the measures employed by Federated Hermes to mitigate cybersecurity risk include, among others, use of firewalls, system segmentation, system monitoring, virus scanning, and periodic penetration and phishing testing. Federated Hermes’ cybersecurity program also includes a detailed incident response plan for responding to
40
cybersecurity threats. Federated Hermes’ cybersecurity program also requires periodic training of employees on cybersecurity threats, including phishing, and cybersecurity awareness campaigns.
Federated Hermes’ third-party service providers are a potential source of cybersecurity threats. Among other service provider management efforts, Federated Hermes conducts due diligence on key service providers relating to cybersecurity. Due diligence consists of reviewing several key data points regarding service providers. These include, but are not limited to, the business processes the service provider will provide, the sensitivity of the data they will store, process, transmit or access, and network connectivity with the service provider. Using this criteria, Federated Hermes will categorize the service provider into a tiered structure. The tiering defines the requirements for conducting the initial and ongoing due diligence.
Federated Hermes’ CIO has nearly 30 years of technology experience. Prior to assuming his current role in 2016, Federated Hermes’ CIO served in senior technology roles with a large U.S. financial institution for over a decade where he, among other things, served as chief information officer for the asset management and investments businesses and gained deep experience managing cybersecurity risks and threats. He holds a Bachelor of Science (BS) in Electrical Engineering from the University of Pittsburgh, a Master of Science (MS) in Engineering from Youngstown State University, and a Master of Business Administration (MBA) from Carnegie Mellon University.
Federated Hermes’ CISO has nearly 20 years of technology experience, including deep experience in cybersecurity risk management. Prior to assuming his current role in 2020, Federated Hermes’ CISO served as information security officer and director of technology for a large publicly traded travel center company and, prior to that, as information security officer for a leading retail chain. He holds a BS in Accounting and Finance and an MBA from Robert Morris University.
As of December 31, 2023, cybersecurity incidents and threats have not had a material adverse effect on Federated Hermes’ Financial Condition. See Item 1A - Risk Factors - General Risk Factors - Operations-Related Risks - Systems, Technology and Cybersecurity Risks for additional information regarding the cybersecurity risks to Federated Hermes’ business, offerings, customers, shareholders, and service providers.