MARKETAXESS HOLDINGS INC - (MKTX)
10-K Filing Date: February 22, 2024
As a global technology company, and the provider of electronic trading platforms and solutions for fixed-income and other securities, we view cybersecurity as fundamental to our business. Accordingly, we aim to appropriately secure all of our business operations, including information that we generate in the performance of our services, and data provided to us by third parties, including clients, vendors, business partners and employees.
Risk Management and Strategy
The Company has adopted an Enterprise Risk and Resilience Framework (the “ERRF”) to identify, assess, monitor, and control the Company’s risks, including cybersecurity risks. Our Chief Risk Officer (the “CRO”) is responsible for implementing and executing the ERRF. The Company’s information security team is staffed with skilled professionals who manage the safeguarding of our information and is led by our Chief Information Security Officer (the “CISO”). This team is responsible for aligning our practices with the requirements of local regulations and the voluntary standards to which we strive to adhere, such as ISO/IEC 27001 and the Institute of Standards and Technology (“NIST”) Cyber Security Framework. The CISO reports directly to our Chief Information Officer (the “CIO”) and CRO. The CIO is responsible for designing and executing the Company’s technology strategy, which includes overseeing the Company’s cybersecurity strategy.
The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s ERRF and are based on recognized frameworks established by NIST, the International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
As one of the critical elements of the Company’s overall ERRF approach, the Company’s cybersecurity program is focused on the following key areas:
39
We periodically assess and test our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported, as appropriate, to the Risk Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
We experience cybersecurity threats and incidents from time to time. However, as of the date of this report, we have not experienced a cybersecurity threat or incident that has materially affected the Company in at least the last three years. While we are not currently aware of any risks from cybersecurity threats that are reasonably likely to materially affect the Company, please see Part I, Item 1A. – “Risk Factors – Malicious cyber-attacks, attempted cybersecurity breaches, and other adverse events affecting our operational systems or infrastructure, or those of third parties, could disrupt our businesses, result in the disclosure of confidential information, damage our reputation and cause losses or regulatory penalties.”
The Board’s Oversight of Cybersecurity Risk
The Board recognizes the critical importance of maintaining the trust and confidence of our clients, business partners and employees. The Board is actively involved in oversight of the Company’s ERRF, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management. The Board is responsible for overseeing the Company’s risk management processes over the short-, medium- and long-term by staying informed of the Company’s material risks and evaluating whether management has reasonable controls in place to address such material risks. As part of its oversight responsibilities, the Board dedicates meaningful time and attention to oversight of cybersecurity risk. The Board is not responsible, however, for defining or managing the Company’s various risks. See “Management’s Involvement in Cybersecurity Risk Oversight” below.
The Board and its committees oversee risk through regular reports from management. The Board’s committees report on the matters discussed at the committee level to the full Board. The Risk Committee has primary responsibility for cybersecurity oversight. In that capacity, the Risk Committee receives quarterly presentations and reports, as well as additional reports as needed, on cybersecurity risks. Such reports address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board and the Risk Committee also receive prompt and timely information regarding any cybersecurity incident that meets established internal escalation thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Management’s Involvement in Cybersecurity Risk Oversight
The CISO, in coordination with the Information Security Management System Committee, which includes our Chief Executive Officer and Interim Chief Financial Officer (“CEO”), CIO, CRO and General Counsel & Corporate Secretary (the “GC”), works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the Information Security Management System Committee monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Risk Committee and/or the full Board when appropriate.
The CISO has served in various roles in information technology and information security for over 30 years, including previously serving as the Deputy Chief Information Security Officer of a large European banking group. The CISO has attained the professional certification of Certified Information System Security Professional (CISSP). The CIO holds undergraduate and masters degrees in computer science and has served in various roles in information technology for over 25 years. The Company’s CRO holds an undergraduate degree and has over 25 years of experience managing risks, including risks arising from cybersecurity threats.
40
The Company is ISO/IEC 27001:2013 certified, which is a global standard that specifies the requirements for establishing, implementing, maintaining, and continually improving information security management systems. Additionally, we have received an independent examination regarding our compliance with SOC 2 Type 1 and Type 2.