BlackRock Inc. - (BLK)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

BlackRock recognizes the importance of identifying, assessing, and managing material risks associated with cybersecurity threats. Cybersecurity represents an important component of the Company’s approach to enterprise risk management (“ERM”). The Company leverages a multi-lines-of-defense model with cybersecurity operational processes executed by global information security and other teams across the firm and dedicated internal audit technology and technology risk management (“TRM”) teams that independently review technology risks. The Company’s cybersecurity program is fully integrated into its ERM framework and is aligned with recognized frameworks, including NIST CSF, FFIEC CAT, FedRAMP, SOC 1/2, ISO 27001/2 and others. BlackRock aims to inform and continuously improve its cybersecurity program through engagement with regulatory, client, insurer, vendor, partner, peer, government and industry organizations and associations, as well as external audit, technology risk, information security and other assessments.

BlackRock seeks to address cybersecurity risks through a global, multilayered strategy of control programs that is designed to preserve the confidentiality, integrity and availability of the information that BlackRock collects and stores by identifying, preventing and mitigating cybersecurity threats and incidents. As one of the critical elements of the Company’s overall ERM framework, BlackRock’s cybersecurity program is focused on the following key areas:

Governance: As discussed in more detail under the heading “Cybersecurity Governance” below, the Board’s oversight of cybersecurity risk management is supported by the Risk Committee, which regularly interacts with the Company’s risk management function, the Company’s Chief Risk Officer (“CRO”) and Chief Information Security Officer (“CISO”), along with other members of management. In addition, technology and cybersecurity risks are formally overseen by a dedicated management risk governance committee, the Technology Risk and Cybersecurity Committee (“TRCC”), which is a sub-committee of the firmwide Enterprise Risk Committee (“ERC”).
Cross-Functional Approach: The Company has implemented a global, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing layered preventative, detective, reactive and recovery controls to identify and manage cybersecurity risks.
Safeguards: The Company deploys a range of people, process and technical controls that are designed to protect the Company’s information systems from cybersecurity threats, which may include, among others: physical security controls; perimeter controls, including technical assessments, firewalls, network segregation, intrusion detection and prevention; tabletop exercises; ongoing vulnerability and patch management; vendor due diligence; multi-factor authentication; device encryption; application security, code testing and penetration testing; endpoint security, including anti-malware protection, threat intel and response, managed detection and response, security configuration management, portable storage device lockdown, and restricted administrative privileges; employee awareness, training, and phishing testing; data loss prevention program and monitoring; information security incident reporting and monitoring; and layered and comprehensive access controls.
Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans that address the Company’s response to a cybersecurity incident, including processes designed to assess, escalate, contain, investigate and remediate the incident, as well as to comply with applicable legal obligations and mitigate potential reputational damage. Such plans are evaluated on a periodic basis.
Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, counterparties and clients, as well as the systems of third parties that could significantly and adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems. Operational incidents can arise as a result of failures by third parties with which the Company does business, such as failures by internet, communication technology and cloud service providers or other vendors to adequately follow processes and procedures, safeguard their systems or prevent system disruptions or cyber-attacks. Third-party risks are included within BlackRock’s ERM framework, and risk identification and mitigation are supported by the Company’s cybersecurity program. BlackRock also performs diligence on certain third parties and monitors cybersecurity threats and risks identified through such diligence.
Education and Awareness: The Company’s employees and contractors are required to complete an annual information security training to equip them with effective tools to address cybersecurity threats, and receive communications on the Company’s evolving information security policies and procedures.

The Company’s global information security team, in collaboration with the technology risk and internal audit teams, engages in the periodic assessment and testing of the Company’s cyber risks and cybersecurity program. These efforts may include a wide range of activities, including audits, assessments, wargames and “tabletop” exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of the Company's cybersecurity measures and planning. BlackRock also participates in financial services industry and government forums in an effort to improve both internal and sector cybersecurity defense. The Company regularly engages third parties and advisors to assess its cybersecurity control environment. The results of certain program and control assessments are reported to the Risk Committee, and BlackRock adjusts its cybersecurity program as appropriate based on the information provided by these assessments.

As of December 31, 2023, BlackRock is not aware of any cybersecurity risks that have materially affected or are reasonably likely to materially affect BlackRock’s business strategy, results of operations, or financial condition. For additional information on whether and how risks from cybersecurity threats are reasonably likely to materially affect BlackRock, see “A cyber-attack or a failure to implement effective information and cybersecurity policies, procedures and capabilities could disrupt operations and lead to financial losses and reputational harm, which may cause BlackRock’s AUM, revenue and earnings to decline.” under Part I, Item 1A, Risk Factors herein.

34

 

Cybersecurity Governance

BlackRock’s Board of Directors is actively engaged in the oversight of BlackRock’s risk management program. The Risk Committee assists the Board with its oversight of the Company’s levels of risk, risk assessment, risk management and related policies and processes, including risks arising from cybersecurity threats. The Risk Committee receives regular reports on the Company’s cybersecurity program, technology resilience risk management and related developments from members of the Company's information security team, including the CISO. The Board and the Risk Committee also receive information regarding cybersecurity incidents that meet certain reporting thresholds. On an annual basis, senior members of BlackRock’s technology, risk and information security teams provide a comprehensive overview of BlackRock’s cyber risk and related programs to a joint session of the Board’s Risk and Audit Committees.

Technology and cybersecurity risks at BlackRock are also overseen by the TRCC, a dedicated management risk governance committee and sub-committee of the firmwide ERC. The chair of the TRCC is appointed by the head of Enterprise Risk Management at the Company and its members include the CISO as well as a broad range of senior business stakeholders across BlackRock. The TRCC is responsible for oversight of BlackRock’s technology and cybersecurity risk management practices and helps ensure that technology and cybersecurity risks remain within firmwide risk tolerances and technology and cybersecurity risk issues are escalated as appropriate to the ERC and other committees. The TRCC also reviews any relevant technology and cybersecurity risk related issues and helps ensure that they are appropriately escalated, reported, and remediated.

BlackRock’s cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by the Company’s CISO. As of December 31, 2023, the CISO had over 30 years of experience in information technology with a 25-year concentration in information security, including previously serving as the CISO at several global financial institutions. He also holds the Certified Information Systems Security Professional certification. The CISO works closely with the leadership team and other subject matter experts in the global cybersecurity group, who collectively have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and overseeing cybersecurity controls in technology risk and audit functions, as well as having relevant degrees and industry-leading certifications.

The CISO and members of the TRCC monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management processes described above, including the operation of BlackRock’s incident response plan.

Back SEC Filing