Artisan Partners Asset Management Inc. - (APAM)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Information Security Program
Our processes for assessing, identifying and managing material risks from cybersecurity threats, as defined in Item 106(a) of Regulation S-K, are integrated into our overall risk management strategy. We regularly assess the risks inherent in operating our business as well as the effectiveness of our risk management activities. The Artisan Risk and Integrity Committee, which includes members of the Company’s senior leadership team including senior representation from the firm’s operations, distribution, finance, internal audit, investment strategy and legal functions, facilitates our annual enterprise risk assessment process, which uses a top-down approach to identify and prioritize key risks to achieving our purpose and maintaining our business model. We also conduct a bottom-up information and cybersecurity risk assessment on an annual basis, which focuses on the evolving threat landscape, changes in the firm’s operations, changes in regulatory requirements and security incidents. This risk assessment informs the Company’s information security awareness training and testing and assessment program.
We manage risk, including cybersecurity risk, via three distinct lines of defense. As the first line of defense, business managers, including IT managers, are responsible for maintaining effective internal controls and executing risk and control procedures on a day-to-day basis. As the second line of defense, the legal, compliance and information security governance functions provide guidance and training, as well as perform monitoring, testing and surveillance activities relating to compliance with the firm’s policies and procedures, applicable laws and regulations, contractual requirements, ethical standards and industry best practices. As the third line of defense, our internal audit team provides periodic and independent assurance that the firm’s internal controls are implemented and operating effectively.
With respect to cybersecurity risk, we have a dedicated security engineering and operations team, supplemented with security consultants and two managed security service providers, that performs first line responsibilities by identifying security risks, deciding if and how to implement security tools and controls, and implementing and maintaining those tools and controls. This team is led by our Director of Technical Services, who has 32 years of information technology experience, and reports to our Chief Information Officer (CIO), who has 40 years of information technology experience. We also have an information security governance team that is responsible for performing second line responsibilities, including training associates, providing advice to our associates in carrying out their responsibilities consistent with the goals of the security program, assessing whether the program is reasonably designed and operating effectively, and responding to and reporting to stakeholders on the reasonableness and effectiveness of the security program. The information security governance team is led by our Chief Information Security Officer (CISO), who is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) and has 37 years of experience in the field of cybersecurity. Our CISO reports directly to our Chief Legal Officer and General Counsel. Together, these teams maintain a robust information
29

security program that utilizes a multi-layered defense-in-depth strategy and is designed to prevent, detect, mitigate and remediate cybersecurity incidents.
Our information security program is subject to periodic internal audits and independent third-party reviews. We use third party security firms for security consulting, including configuration reviews and assessments, as well as performing periodic (no less frequently than annual) penetration tests to evaluate the integrity of our systems. We also conduct monitoring and testing activities, such as phishing simulations.
Our associates receive annual, mandatory information security training, which includes information regarding specific policies and procedures and education on risks such as phishing attacks, social engineering, password management and privacy. New associates receive cybersecurity training as part of their orientation process.
To date, we have not experienced any known material cybersecurity breach or threat that resulted in or is reasonably likely to result in any material loss, or any material impact on our business strategy, results of operations or financial condition.
Oversight of Third-Party Service Providers
We engage many service providers in connection with our business operations. Some of these service providers play a minor role, while others perform services that are critical to our operations. We have a service provider oversight committee that oversees and facilitates the management of third-party relationships that are integral to our investment management activities. The committee maintains a written policy and other guidance that set forth our approach to managing and providing oversight of those third-party service providers in a manner consistent with the level of risk and complexity of the services provided. Our approach to oversight, which includes considerations regarding selection, initial and ongoing due diligence, contracting, ongoing monitoring and oversight and compliance with applicable regulatory and service level expectations, is tailored to each such service provider based on the scope of the services provided. Security assessments of those service providers may include questionnaires, meetings and onsite visits. We also consider contingency plans in the event a key service provider is not able to provide its respective services.
In addition, our internal audit team periodically tests the firm’s management and oversight of certain key third-party service providers, including those overseen by the service provider oversight committee, as well as third parties that support financial reporting.
Governance
Role of Management
Management is responsible for the assessment and management of risk, including cybersecurity risk. The Artisan Risk and Integrity Committee facilitates the annual enterprise risk assessment that identifies and prioritizes the Company’s key risks, including cybersecurity risk. The information security governance team also reports to members of senior management the results of its annual cybersecurity risk assessment.
Cybersecurity risks are managed by and through our information security program, which consists of the activities of teams managed by our CIO (first line of defense) and CISO (second line of defense). In the normal course of business, executive management is informed about the prevention, detection, mitigation and remediation of cybersecurity risks through these established reporting lines and through its oversight of the information security program.
Outside of the normal course of business, in the event a cybersecurity incident occurs, our incident response plan provides guidance in assessing and responding to the incident. The incident response plan establishes mechanisms by which we determine the scope of and potential damage caused by the incident and determine and execute the appropriate response. The plan outlines roles and responsibilities and sets forth escalation points to ensure that appropriate individuals and groups are notified and provided relevant information depending on the type and severity of the incident. Cybersecurity incidents are reported to each of the Company’s Chief Legal Officer, Chief Administrative Officer, and the Chair of the Artisan Risk and Integrity Committee, who oversee the investigation and remain apprised of information regarding the remediation of the incident. This group, based on its assessment of the incident’s potential impact to the Company and its stakeholders, will also make determinations regarding further escalation of the incident to the full senior leadership team. The senior leadership team is kept informed of the investigation and is responsible for making certain decisions throughout the course of the investigation, including whether it is appropriate to report the incident to the Board prior to its next meeting.
Role of the Board of Directors
Our Board is responsible for overseeing management in the execution of its risk management responsibilities, including with respect to cybersecurity risk management. In addition, an overall review of risk is inherent in the Board’s ongoing oversight of our business, long-term strategies and other matters presented to our Board. Our Board exercises its risk oversight responsibilities periodically as part of actions taken and matters reviewed during its meetings and also through the activities of its standing committees. The Board has delegated responsibility for cybersecurity risk oversight to the Audit Committee.
The Audit Committee oversees cybersecurity risk management through the periodic reports it receives from management. On a quarterly basis, management reports on any significant cybersecurity events and trends impacting the Company. Annually, our CIO and CISO report to the Audit Committee on our information security program, including with respect to team updates, key areas of risk and the effectiveness of the program. The Audit Committee also reviews the Company’s cybersecurity insurance
30

program on an annual basis in connection with the program’s renewal and receives periodic reports from our Director of Internal Audit regarding internal audits of our information security program.