Evercore Inc. - (EVR)
10-K Filing Date: February 22, 2024
Item 1C.Cybersecurity
Managing information technology ("IT") and cybersecurity risks, including maintaining confidentiality and privacy for our clients and employees, is critical to the successful operation of our business. We are aware that there are risks presented by cybersecurity, and are committed to preventing and mitigating such risks by following the below framework.
Board of Directors Oversight
The Audit Committee of the Board of Directors is charged with a majority of the risk oversight responsibilities on behalf of the Board of Directors, including risks associated with IT and cybersecurity. The Board of Directors and the Audit Committee are updated periodically on cybersecurity matters. Our Chief Financial Officer ("CFO") and General Counsel both report directly to our Chief Executive Officer ("CEO") and periodically meet with the Audit Committee in conjunction with a review of our quarterly and annual periodic SEC filings to discuss important risks we face, highlighting any new risks that have arisen since the prior meeting. Specifically with respect to cybersecurity, our Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") join our CFO and General Counsel to provide updates directly to the Audit Committee, along with third party experts engaged to recommend enhancements to and improve the Company’s cybersecurity practices. In addition, all non-management members of the Board of Directors are invited to attend all committee meetings, regardless of whether the individual sits on the specific committee. Board of Directors members have access to senior executives, including our CFO and General Counsel, and in addition to periodic reports, we maintain formal processes for escalating live issues to the Audit Committee and the Board of Directors, as described below.
Management
On a day-to-day basis, our CISO leads our cybersecurity program with support from senior leadership. Our Information Security program is a bespoke program created for the Company and is guided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The Information Security team is composed of three core functional areas, which work collaboratively to seek to keep our assets secure:
•Governance, Risk, & Administration. Responsible for setting policy, maintaining and conducting risk assessments, ensuring regulatory compliance in partnership with our legal and compliance team, coordinating audits, evaluating new technology platforms, and the development and oversight of the Company’s data governance, vendor risk management, and training programs.
•Security Operations. Responsible for monitoring our security posture on an ongoing basis, including alert response and escalation. This team is supported by a third-party security firm that serves as the Company’s Security Operations Center and performs continuous (24x7x365) monitoring of security across the enterprise.
•Security Architecture. Responsible for managing and maintaining security systems and identity management programs, as well as oversight and performance of security reviews for key technology platforms.
24
The CISO leads our Information Security team and is responsible for establishing and maintaining the Enterprise Information Security Policy (the "Policy"). Our CISO has over a decade of experience in information security strategy, audit and risk management, as well as technical leadership expertise. To stay abreast of the evolving threat landscape, the CISO is active in the cyber community through discussions with peer groups, industry experts and law enforcement agencies. Members of the Information Security team have backgrounds in cybersecurity or experience applicable to their roles, including relevant industry certifications.
Our Enterprise Information Security Policy contains existing controls to protect information systems (and the data hosted within) and to educate personnel as to the proper use, disclosure, modification, or destruction of that data. The Policy is further intended to reasonably protect our systems and data against internal and external threats that could impact it. We periodically review this Policy for improvements and request each account user to read and attest to the Policy annually. We employ a Defense-in-Depth approach to information security, which includes adoption of network perimeter, endpoint, and end-user controls in accordance with the Policy. We are focused on improvement of our security posture; we are periodically assessed by internal and external audits, as well as third-party security experts, such that our program continues to address and respond to evolving threats.
Education and awareness to cyber threats is a core component of our information security program. All employees undergo dedicated cybersecurity training as part of their onboarding process and on an ongoing basis. In recent years, we have enhanced our employee education and awareness program to focus on engagement, including through frequent phishing campaign assessments, communications from our CISO and reinforcement from other senior leaders on relevant cyber threats. We have also engaged third-party experts to perform penetration tests and assess our response mechanisms and hosted tabletop exercises with senior leaders to test our incident response preparedness. These organizations, as well as other third parties that do business with us, are reviewed as part of our Vendor Risk Management program. To foster prompt response to incidents, recovery of lost data, and minimal impact to strategic operations in emergency events, we maintain, test, and regularly review our Incident Response, Disaster Recovery and Business Continuity Plans.
Incident Response Plan
We have adopted an Incident Response Plan to provide a formal framework for responding to security incidents. The overall purpose of the framework is to provide procedures designed to protect and preserve the availability, integrity and confidentiality of the Company’s information and network assets, regardless of format. The plan was designed with the objective of performing timely investigations and assessments of the severity of the incidents (including the sensitivity of the information compromised), taking all appropriate measures to contain and control damage to customers resulting from the incident, returning to normal operating conditions as quickly as possible, and taking appropriate steps to comply with our legal and regulatory obligations, including our disclosure obligations under the securities laws.
The Incident Response Plan establishes procedures for assessing threats, determining when escalation of threats is required, and establishing a coordinated, multi-functional response to mitigate the impact of any incidents. After becoming aware of an incident, our cybersecurity team will review the incident against several critical questions to guide our immediate response. If an incident requires escalation, our core response team, which includes our CIO, CISO, General Counsel, CFO, Chief Compliance Officer, and other business leaders, is responsible for analyzing the materiality of the incident (including whether the incident qualifies as a material cyber event under SEC cybersecurity rules) and leading our response. The core response team is responsible for involving other corporate and business leaders throughout the organization as appropriate for communication and incident resolution, as well as communicating with the Board of Directors regarding the incident and management’s response as appropriate.
Impact of Cybersecurity Risk
During the period covered by this report, we are not aware of any cyber incidents that, individually or in the aggregate, have been material to our operations or financial condition. Additionally, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, are reasonably likely to materially affect our strategy, results of operations or financial condition over the long term. For a discussion of cybersecurity risk, see the information contained under the heading "Our business is subject to various cybersecurity risks" in Item 1A. "Risk Factors" in this Form 10-K.