Perella Weinberg Partners - (PWP)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We strive to protect the reputation of our Company by establishing, protecting and defending our data and information systems in a number of ways through a combination of processes, tools, and awareness-building. We aim to adhere to the best practices outlined in the National Institute of Standards and Technology and International Organization for Standardization frameworks, and our policies and procedures in managing personally identifiable information are in compliance with General Data Protection Regulation requirements.
26


As part of our processes for assessing, identifying and managing material risks from cybersecurity threats, we maintain an ongoing process to enhance security and optimize our IT systems, and regularly conduct security assessments and testing of our systems to verify our systems’ integrity to protect them against being compromised from both internal and external sources. We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity processes and practices. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve and recover from security incidents in a timely manner. These efforts include using monitoring tools and services to address the confidentiality, integrity, and availability of our assets and data. Regular internal and third-party reviews are performed on our processes and technologies to help validate the effectiveness of our privacy and data security controls. These safeguards include employing firewalls, intrusion prevention and detection systems, and access controls, which are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.
We monitor industry best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive data. We prioritize a robust due diligence program for key third-party service providers, utilizing a comprehensive due diligence questionnaire to evaluate potential risks before establishing formal partnerships. This in-depth approach applies to all vendors with access to our sensitive systems or data. Ongoing assessments are customized based on each provider’s risk profile, with heightened scrutiny applied to new engagements and high-risk relationships. Existing vendors are subject to periodic reevaluations according to a predetermined schedule, with increased frequency for those deemed higher risk.
Information technology risks and controls are regularly assessed as part of our overall self-assessment program, which includes working with a third party organization who regularly tests controls. Observations and outcomes from these self-assessments help drive our internal risk management decision making. Our management and compliance and information technology professionals, including our Chief Information Officer (“CIO”), are responsible for the maintenance and enforcement of our cybersecurity and information security policies and procedures. In addition members of the cybersecurity and information security teams maintain CISSP industry certifications. In addition, we have organizational charts in place to communicate key areas of authority, responsibility, and lines of reporting to personnel related to the design, implementation, operation, maintenance, and monitoring of our cybersecurity environment.
We also have a security incident response plan, with defined roles and responsibilities that are intended to address notification obligations and incident response procedures in the event of a data security breach. We are dedicated to business continuity and resiliency and have strategies, policies, and procedures in place that are designed to protect employee, business, and client data in the event of an emergency or natural disaster.
In addition to identifying information security risks, we have established robust controls to seek to reduce or mitigate such risks. Cybersecurity training for employees is conducted regularly and we maintain system logs of user activities, exceptions, and security events for a period consistent with industry best practices, unless otherwise required by law, regulation or contractual obligation. We employ rigorous measures to appropriately handle and protect sensitive and confidential data, particularly in light of increased use of remote access technology. We take precautionary measures to minimize, to the extent possible, the use of personally identifiable information and the electronic or courier-based transmission of sensitive and confidential data, relying instead on approved and secured digital data transfer services, which are designed to provide tightly controlled and selective access to such information. We have mechanisms in place to help ensure that our data is secured when at-rest or in-transit, and industry standard encryption is used to the maximum extent possible. We also take steps to help ensure our ability to restore data in the event of data failure, corruption, accidental deletion, or malicious tampering.
To date, cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. Refer to the risk factor captioned “Our business is subject to various cybersecurity and other operational risks” in Part I, Item 1A. “Risk Factors” for an additional description of cybersecurity risks and potential related impacts on the Company.
Governance
Our audit committee of the board of directors is responsible for overseeing the guidelines and policies governing the process by which the Company assesses and manages our exposure to risk, including cybersecurity risk, as well as any major litigation, regulatory, financial and reputational risk exposures and the steps management has taken to monitor and control such exposures. This oversight is achieved through a combination of periodic management reports, focused briefings on emerging cyber threats and vulnerabilities, updates on implemented mitigation strategies and periodic reviews of incident response plans.
27


We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. Our dedicated Information Security Team is responsible for identifying, assessing, detecting, and responding to any threats and vulnerabilities. The team routinely collects and processes information from a variety of sources, including from media reporting, commercial threat intelligence providers (FSARC, FS-ISAC), the Federal Bureau of Investigation and other government and law enforcement agencies. The team provides ongoing global mitigation of known cybersecurity threats to help ensure that our data and systems are protected.
28