WisdomTree, Inc. - (WT)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

Under the oversight of our Board of Directors, we have implemented and maintain cybersecurity risk management policies and procedures that include processes for the identification, assessment and treatment through mitigation, transfer, avoidance and/or acceptance of cybersecurity risks.

Our cybersecurity risk management policies and procedures are informed by industry standards, and they are designed to address cybersecurity risks identified by external auditors and assessors, threat intelligence providers, internal stakeholders, vulnerability management programs and security management programs. Our team of information technology and cybersecurity professionals, led by our Chief Information Officer, or CIO, manages and maintains remediation strategies for identified cybersecurity risks and regularly reports on such risks to senior management, including our Governance Committee as described below.

Our cybersecurity risk management program is designed to be aligned with our business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of enterprise risk, including legal, compliance, strategic, operational and financial risk. Key elements of our cybersecurity risk management program include:

 periodic risk assessments designed to help identify cybersecurity risks to our critical systems, information, products, services and our broader enterprise information technology environment;

 a security and infrastructure team principally responsible for managing our cybersecurity risk assessment processes, our security controls and our response to cybersecurity incidents;

 the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;

 employee training and awareness programs that include periodic and ongoing assessments in an effort to drive adoption and awareness of cybersecurity processes and controls;

 a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and

 processes to evaluate cybersecurity risks posed by critical third-party vendors, including through the use of security questionnaires.

Additionally, as a public company, we are subject to Sarbanes-Oxley (SOX) requirements and must undergo independent audits of Information Technology General Controls (ITGC) in support of Internal Control over Financial Reporting (ICFR). These audits assess key information security and cybersecurity risks in the environment that may affect the confidentiality, integrity and availability of financial reporting systems and data. If any control deficiencies that represent material cybersecurity risks were identified, those would be reported to the Audit Committee, and the results of these evaluations would be considered in the overall audit opinion for the Company.

Governance Related to Cybersecurity Risks

Our cybersecurity risk management program and related operations and processes are directed by our CIO. Currently, the CIO role is held by an individual who has been in the role for over nine years, has over 22 years of cybersecurity, information technology and systems engineering experience, and has advanced training in the field of technology.

40

The CIO is a member of our Governance Committee and regularly reports on cybersecurity risk management to other members of the Governance Committee comprised of the Company’s senior executive officers. The Governance Committee oversees the prioritization and escalation of risks from cybersecurity threats and is responsible for strategy, operations, financial management, information technology, compliance, legal, administration and corporate governance. The members of the Governance Committee collectively possess experience in these areas, including cybersecurity and risk management.

The Audit Committee oversees our management of cybersecurity risks. Pursuant to the Audit Committee charter, the Audit Committee is responsible for discussing cybersecurity-related risks with management and the steps management has taken to monitor and control such risks, including our risk assessment and risk management policies. The CIO regularly reports to the Audit Committee on our cybersecurity risks, and the chair of the Audit Committee reports on these discussions with the full Board of Directors. In addition, the CIO provides periodic reports to our Board of Directors.

While we have not, as of the date of this Report, experienced a cybersecurity incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. For information regarding cybersecurity risks that may materially affect our Company, see “Item 1A. Risk Factors” included in this Report.