COHEN & STEERS, INC. - (CNS)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity is a crucial component of our enterprise risk management program. Like many companies, both we and our external providers have been subject to, and expect to continue to be subject to, a range of cybersecurity threats and risks. We have invested significant resources into cybersecurity and risk management processes to adjust to the continuing evolution in cybersecurity and respond to related threats.
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and information relating to our clients and investments (Information Systems and Data).
Our cybersecurity risk management function is led by our Chief Information Security Officer (CISO) and Chief Technology Officer (CTO) and includes members of our Information Technology (IT) department and other personnel that oversee our information security and engineering operations. Input and guidance are also provided by members of our Legal and Compliance departments. Together, these employees (collectively referred to as members of our Cybersecurity Management) are primarily responsible for developing, implementing and monitoring our cybersecurity program and reporting on cybersecurity matters to senior management as well as our board of directors.
Members of our Cybersecurity Management identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s enterprise risk profile using various manual and automated tools as well as by: (i) utilizing shared information about vulnerabilities and exploits from various professional security organizations, reports or other services that identify cybersecurity threats and through the use of external intelligence feeds; (ii) analyzing reports of threats and actors; (iii) conducting scans of the Company’s threat environment; (iv) evaluating our and our industry’s risk profile; (v) evaluating threats that are reported to us; (vi) coordinating with law enforcement concerning threats; (vii) conducting internal and external audits of our information security control environment and operating effectiveness; and (viii) conducting threat assessments for internal and external threats, including through the use of third party threat assessments and vulnerability threat assessments.
Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, but not limited to:
technical and physical safeguards: (i) systems monitoring, including anti-virus/anti-malware software for workstations and servers, reports about correlated events detected from server log reviews, desktop forensics software and suspicious firewall traffic, firewall logs and alerts from users about blocked websites, systems monitoring of Company websites, network monitoring software alerts and scheduled internal and external vulnerability scans; (ii) asset management tracking and disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from Company personnel and from third parties regarding issues and signs of potential incidents; and (vi) access controls and network security controls; and
organizational safeguards: (i) incident response plans that address our response to a cybersecurity incident; (ii) personnel and vendors dedicated to overseeing the Company’s cybersecurity program; (iii) periodic mandatory employee cybersecurity training; (iv) periodic risk assessments and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents, such as audits, tabletop exercises, threat modeling and vulnerability testing; (v) policies and programs such as security standards, a vendor risk management program, a vulnerability management policy and disaster recovery and business continuity plans; and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents.
Cybersecurity risk management is integrated into the Company’s overall enterprise risk management (ERM) process. For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by our information technology security team; (ii) internal and external penetration tests are performed to identify any vulnerabilities and findings are risk ranked based on potential likelihood and impact; and (iii) members of Cybersecurity Management report on cybersecurity risk management and related matters to the board of directors and the audit committee, as part of their ongoing evaluation and oversight of overall enterprise risk.
19



Third-party service providers play a key role in our cybersecurity program. We use third-party service providers to assist us in identifying, assessing and monitoring material risks from cybersecurity threats, including through penetration testing, provision of threat intelligence and monitoring our environment 24 hours a day and seven days a week. We have currently engaged with professional services firms, including legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, penetration testing firms, dark web monitoring firms and cyber insurance brokers and providers. We report key findings of such assessments to our board of directors and the audit committee and we adjust our cybersecurity policies, standards, processes and practices as necessary based in part on information provided by these assessments and engagements.
We also use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies and supply chain resources. We maintain a risk-based approach to identifying and overseeing cybersecurity risks and vulnerabilities presented by our engagement of third parties, including key vendors, service providers and other external users of our information systems, as well as the information systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue and the identity of the provider, our vendor risk management program may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. Our vendor risk management program may entail: (i) vendor risk assessments; (ii) security questionnaires; (iii) vendor audits; (iv) vulnerability scans relating to vendors; (v) security assessment calls with the vendor’s security personnel and our review of the vendor’s written security program, security assessments and other reports; (vi) provision from the vendor of a System and Organization Controls (SOC) 1 or SOC 2 report to evidence cybersecurity preparedness; and (vii) the imposition of contractual obligations on the vendor.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the caption “We could incur financial losses, reputational harm and regulatory penalties if we fail to implement effective information security policies and procedures.”
Governance
Our cybersecurity risk assessment and management processes are implemented and maintained by members of our Cybersecurity Management, including our CISO, CTO and our Head of IT Infrastructure.
Our CISO oversees the information security group and program within our IT department and holds a Bachelor of Arts degree in computer science. Our CISO has served in various roles in information technology for over 24 years within the financial services industry, including previously serving as Head of Information Security and Enterprise Infrastructure, Head of IT Audit and Chief Information Security Officer at other companies, and holds the Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certifications and is registered with FINRA for the Series 99.
Our CTO oversees our IT department and holds a PhD in computer science, an MBA and Postgraduate Diploma in physics. Our CTO has served in various roles in information technology for over 28 years, including senior leadership roles for the investment banking division of a financial services company.
Our Head of IT Infrastructure oversees the infrastructure and service desk departments within our IT department and holds a Bachelor of Business Administration degree in finance and computer information systems. Our Head of IT Infrastructure has served in various roles in information technology for over 20 years.
Members of our Cybersecurity Management, including our CISO and our CTO, are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel. Members of our Cybersecurity Management, including our CISO and our CTO, are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports.
Our cybersecurity incident response plan is a key component of our cybersecurity program. The response plan is designed to report certain cybersecurity incidents to members of Cybersecurity Management, who then work with the Company’s incident response team to help the Company control, mitigate and remediate cybersecurity incidents of which they are notified. In addition, the response plan includes prompt reporting to the board of directors (or audit committee) of certain cybersecurity incidents and of the company’s materiality and disclosure determinations relating thereto.
The audit committee and board of directors actively participate in discussions regarding cybersecurity risk exposures and steps taken by management to monitor and mitigate such risks, further to their responsibility to manage, oversee and
20



remain informed about the most significant risks to Company and align our risk exposure with our strategic and business objectives. At least annually, the audit committee reviews with our CTO the Company’s cybersecurity program, including the robustness and efficacy of the Company’s overall cybersecurity program, steps taken to enhance defenses and security measures in place and our established plans to identify, detect and respond to threats we may encounter. The audit committee also annually reviews and discusses with management the ERM process and annual risk assessment, as well as the Company’s cyber insurance coverage and annual SOC-1 report provided by an independent services firm. More frequently, the audit committee and board of directors receive reports and communications from our CTO and our Chief Operating Officer regarding material risks and specific developments related to the changing cybersecurity landscape and the Company’s operating, technology and control environment. Such reports may cover topics such as: recent investments made in our cyber infrastructure; the undertaking of new technology projects and initiatives; vulnerability assessments and key findings from external cyber experts retained by the Company; the impact of new cybersecurity-related rules and regulations; changes in the threat environment including new and emergent risks; and evolving information security standards and market practices including with respect to peers and third parties.