Moelis & Co - (MC)
10-K Filing Date: February 22, 2024
The Company faces various risks from cybersecurity threats in connection with its business on a day‑to‑day basis, including, without limitation, information theft, destruction and inaccessibility; unauthorized disclosure of sensitive or confidential information; extortion; harm to clients and employees; reputational risk, legal and regulatory risk and increased costs to manage cyber risk, which could materially adversely affect our business, strategy, results of operations and financial condition. Our cybersecurity risks arise out of managing sensitive and confidential information of our clients, as well as our own confidential and proprietary information, and our dependence on information technology systems and networks to securely process, transmit and store this information and to communicate among our global locations and with third parties, including our clients and other key stakeholders involved in our clients’ transactions. The cyber threat landscape is constantly evolving, and the increase in periodic work-from-home workforce and their reliance on technology that enables such work has increased the cyber threat landscape and related risks. While we do not believe we have, as of the date of this Form 10-K, experienced a cybersecurity incident that materially affected our business, our business strategy, our results of operations or financial condition, there can be no guarantee that we will not experience such an incident in the future. For further information, see “Our business is subject to various cybersecurity and other operational risks” and “We may incur losses as a result of unforeseen or catastrophic events, including the emergence of a pandemic, cybersecurity incidents and events, terrorist attacks, war, trade policies, military conflict, climate-related incidents, or other natural disasters” in Item 1A, Risk Factors of this Annual Report.
We maintain a cybersecurity program, which includes processes for the continuous monitoring of our information systems in order to assess, identify and manage cybersecurity threats. We use known industry strategies to manage these cyber threats, including, without limitation, identity and access management, security awareness training, network security, physical access controls, endpoint security, encryption, incident response planning and vulnerability management. The relevant information collected from the tools is, among other things, leveraged to identify potential weaknesses, monitor threats that seek to identify and exploit these weaknesses and refine and adjust our security controls as the cyber threat landscape changes. Our cybersecurity program includes policies governing how employees access, use and interact with our firm assets and data deemed to be in our custody. Our security team considers industry cybersecurity best practices and applicable statutory and regulatory obligations when creating policies, implementing controls and engineering technology integrations.
Recognizing the complexity and continuously developing nature of cybersecurity threats, Moelis periodically engages with a variety of external experts, including consultants, auditors and cybersecurity assessors in evaluating and testing our cyber risk management systems. Our collaboration with these third parties include, but are not limited to; threat assessments, consultation on security enhancements and regular periodic audits.
Our security program also contains a third-party risk management process which is designed to assess third-party vendors’ information security posture and inform management on the potential cyber risk introduced by third-party products and services and the broader security team’s recommendations for risk management.
Our cybersecurity program is overseen by a full-time security team led by our Chief Information Security Officer (“CISO”), reporting directly to our Chief Information Officer (“CIO”). Our CISO has over 20 years of experience in the field of cybersecurity, including prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CIO has over 17 years of experience as a Chief Information Officer, over 35 years of experience in the field of information technology and oversees the cybersecurity function.
Our cyber security program includes a cyber incident response policy overseen by our CISO. This incident policy sets forth the procedures to be followed in the event of a cybersecurity event, including escalation, mitigation, and remediation steps. Our cyber security procedures provide criteria for the escalation of cybersecurity events to management of the other operational functions of the Company to participate in determining and executing on the response. Depending on the nature and severity of the incident, we have procedures for escalating notification to our executive officers and Board of Directors.
29
Our Board of Directors is responsible for oversight of our cybersecurity risks. Cybersecurity risk management is integrated into our broader risk management framework. Our Board meets at least quarterly to conduct a review of matters related to cybersecurity, including an assessment of the cybersecurity threat landscape, cyber risk mitigation initiatives, the status of projects to strengthen internal cybersecurity, and an update on security events during the period. In addition, management will escalate cybersecurity incidents to the Board of Directors between quarterly meetings in accordance with our escalation procedures.