MARKETAXESS HOLDINGS INC - (MKTX)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

As a global technology company, and the provider of electronic trading platforms and solutions for fixed-income and other securities, we view cybersecurity as fundamental to our business. Accordingly, we aim to appropriately secure all of our business operations, including information that we generate in the performance of our services, and data provided to us by third parties, including clients, vendors, business partners and employees.

Risk Management and Strategy

The Company has adopted an Enterprise Risk and Resilience Framework (the “ERRF”) to identify, assess, monitor, and control the Company’s risks, including cybersecurity risks. Our Chief Risk Officer (the “CRO”) is responsible for implementing and executing the ERRF. The Company’s information security team is staffed with skilled professionals who manage the safeguarding of our information and is led by our Chief Information Security Officer (the “CISO”). This team is responsible for aligning our practices with the requirements of local regulations and the voluntary standards to which we strive to adhere, such as ISO/IEC 27001 and the Institute of Standards and Technology (“NIST”) Cyber Security Framework. The CISO reports directly to our Chief Information Officer (the “CIO”) and CRO. The CIO is responsible for designing and executing the Company’s technology strategy, which includes overseeing the Company’s cybersecurity strategy.

The Company’s cybersecurity policies, standards, processes and practices are fully integrated into the Company’s ERRF and are based on recognized frameworks established by NIST, the International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

As one of the critical elements of the Company’s overall ERRF approach, the Company’s cybersecurity program is focused on the following key areas:

Governance: As discussed below in more detail under the heading “The Board’s Oversight of Cybersecurity Risk,” the Board’s oversight of cybersecurity risk management is supported by the Risk Committee of the Board (the “Risk Committee”), which regularly interacts with the Company’s CRO, CIO, CISO and other members of management.
Collaborative Approach: The Company has implemented a comprehensive, cross-functional approach to identification, protection, detection, response and recovery from cybersecurity threats and incidents, while also implementing controls and procedures that are designed to provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning: The Company has established and maintains its Information Security Incident Management Policy that addresses the Company’s response to a cybersecurity incident, and such policy is tested and evaluated on a regular basis. The policy applies to all full- and part-time employees and contractors. The goal of the policy is to restore normal service operation as quickly as possible following an event, provide timely and accurate information to relevant stakeholders regarding such an event, as appropriate, and minimize the impact of such an event on our business operations. The policy is designed to ensure that we are meeting both our contractual and regulatory requirements related to cybersecurity events.
Data Collection, Use, Processing and Monitoring: The Company maintains robust policies and procedures relating to our data collection, use and processing activities as well as mechanisms for monitoring our data systems and usage. We do not have retail clients and any gathering and maintaining of individual consumer data is very limited. We seek to maintain compliance with global data protection laws, including the EU General Data Protection Regulation (the “GDPR”), the UK Data Protection regime and the California Consumer Privacy Act (the “CCPA”), in the countries in which we operate, and meet our contractual commitments to our clients.

39


 

Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. In addition, the Company provides regular, mandatory training for personnel regarding key data privacy laws and the appropriate collection, use, and storage of data.

We periodically assess and test our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported, as appropriate, to the Risk Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

We experience cybersecurity threats and incidents from time to time. However, as of the date of this report, we have not experienced a cybersecurity threat or incident that has materially affected the Company in at least the last three years. While we are not currently aware of any risks from cybersecurity threats that are reasonably likely to materially affect the Company, please see Part I, Item 1A. – “Risk Factors – Malicious cyber-attacks, attempted cybersecurity breaches, and other adverse events affecting our operational systems or infrastructure, or those of third parties, could disrupt our businesses, result in the disclosure of confidential information, damage our reputation and cause losses or regulatory penalties.”

The Board’s Oversight of Cybersecurity Risk

The Board recognizes the critical importance of maintaining the trust and confidence of our clients, business partners and employees. The Board is actively involved in oversight of the Company’s ERRF, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management. The Board is responsible for overseeing the Company’s risk management processes over the short-, medium- and long-term by staying informed of the Company’s material risks and evaluating whether management has reasonable controls in place to address such material risks. As part of its oversight responsibilities, the Board dedicates meaningful time and attention to oversight of cybersecurity risk. The Board is not responsible, however, for defining or managing the Company’s various risks. See “Management’s Involvement in Cybersecurity Risk Oversight” below.

The Board and its committees oversee risk through regular reports from management. The Board’s committees report on the matters discussed at the committee level to the full Board. The Risk Committee has primary responsibility for cybersecurity oversight. In that capacity, the Risk Committee receives quarterly presentations and reports, as well as additional reports as needed, on cybersecurity risks. Such reports address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board and the Risk Committee also receive prompt and timely information regarding any cybersecurity incident that meets established internal escalation thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

Management’s Involvement in Cybersecurity Risk Oversight

The CISO, in coordination with the Information Security Management System Committee, which includes our Chief Executive Officer and Interim Chief Financial Officer (“CEO”), CIO, CRO and General Counsel & Corporate Secretary (the “GC”), works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the Information Security Management System Committee monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Risk Committee and/or the full Board when appropriate.

The CISO has served in various roles in information technology and information security for over 30 years, including previously serving as the Deputy Chief Information Security Officer of a large European banking group. The CISO has attained the professional certification of Certified Information System Security Professional (CISSP). The CIO holds undergraduate and masters degrees in computer science and has served in various roles in information technology for over 25 years. The Company’s CRO holds an undergraduate degree and has over 25 years of experience managing risks, including risks arising from cybersecurity threats.

40


 

The Company is ISO/IEC 27001:2013 certified, which is a global standard that specifies the requirements for establishing, implementing, maintaining, and continually improving information security management systems. Additionally, we have received an independent examination regarding our compliance with SOC 2 Type 1 and Type 2.