NASDAQ, INC. - (NDAQ)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk management and strategy
Nasdaq’s brand and role as a critical infrastructure provider for global financial markets, and operator of the Nasdaq Stock Market, make us an attractive target for cybersecurity risks, including from international political opponents, hacktivists and ransomware or other financially motivated criminals targeting the financial sector. Our cybersecurity risks include financial and reputational damage, along with collateral damage from loss of customer confidence in our exchange, products or offerings, as applicable, potential regulatory enforcement actions or litigation, either from governmental authorities or shareholders, or the failure to comply with contractual breach notifications. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business, our business strategy, our results of operations or financial condition. For further information, see “Our role in the global marketplace positions us at greater risk for a cyberattack” and “Expanded cybersecurity regulations, and increased cybersecurity infrastructure and compliance costs, may adversely impact our results of operations” in “Item 1A, Risk Factors” of this Annual Report on Form 10-K.
Our risk management and mitigation approach includes the adoption of security controls and adaptive ongoing threat analysis. Our policies and our baseline security controls incorporate robust security infrastructure, risk-based controls and multi- layered defense systems. We have 16 System and Organization Controls Type 2, or SOC 2, certifications with respect to our information security and infrastructure. Our adaptive analysis monitors the threat landscape relevant to Nasdaq, our vendors and financial industry peers, and threats arising from geopolitical events. As the external threat landscape evolves, our information security controls are regularly evaluated, updated and enhanced to help protect against emerging risks. Additionally, we conduct extensive cybersecurity assessments of our acquired entities, both prior to acquisition and following completion of the transaction, to understand potential threats and mitigate any potential security gaps, as well as to ensure compliance with our security infrastructure and access management practices and policies.
We periodically engage external advisors to perform an analysis of our information security procedures, which include a review of program documentation and an overall maturity assessment of Nasdaq’s information security programs. These advisors provide recommendations to further enhance our procedures. The findings are then presented to the Audit & Risk Committee of the Board of Directors, or the Audit & Risk Committee. In 2023, our management team and the Board of Directors conducted tabletop exercises and simulations in cybersecurity matters with assistance from internal and outside experts.
33
We use certain cloud-based third-party vendors for the core trading systems of certain of our exchanges and certain of our governance products and solutions. Prior to engaging such vendors, we analyze each provider’s SOC2 certifications and perform due diligence and testing for information security and interoperability with our systems, and annually review the SOC2 certifications. Our security assurance and threat assessment team, within our Information Security organization, collaborates with our external threat intelligence providers to proactively review Nasdaq, and our vendors with respect to emerging threats and associated risks.
For our third-party service providers, our risk assessment process evaluates the probability and potential impact of incidents related to operational errors, technology disruptions, information security breaches, workforce issues, internal and external fraud, financial actions, and legal and regulatory matters. This assessment process is part of our Supplier Risk Management program, which establishes processes for identifying, assessing, and periodically reviewing our exposure to risk through third party vendors.
Governance
Cybersecurity is an integral part of risk management at Nasdaq. The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, and mitigation of the effect any such incidents may have on us. We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee, which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, comprise a rapid response team that would mobilize in the event of a significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our Information Security organization has more than 100 members, with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also includes a cybersecurity dashboard that contains information on cybersecurity governance processes, and from time to time, also includes the status of projects to strengthen internal cybersecurity, ongoing prevention and mitigation efforts, security features of the products and services we provide our customers, or the results of security events during the period. The Audit & Risk Committee also reviews and discusses recent cyber incidents affecting the industry and the emerging threat landscape.
Cybersecurity is a shared responsibility, and our goal is for all employees to be vigilant in helping to protect our organization and themselves, at all times. We routinely perform simulations and tabletop exercises, and incorporate external resources and advisors as needed, to help strengthen our cybersecurity protection and information security procedures and safeguards. All employees are required to complete annual cybersecurity awareness training and have access to continuous cybersecurity educational opportunities throughout the year. Nasdaq also maintains a cybersecurity and information security risk insurance policy, and our Nasdaq Information Security Management System conforms to ISO 27001 requirements and is ISO 27001 certified.
On an annual basis, the Information Security team reviews and updates its governance documents, including the Information Security Charter, the Information Security Policy, and the Information Security Program Plan, and then presents the revised documents to the Audit & Risk Committee for review and/or approval. Additionally, the Information Security team maintains a formal cybersecurity strategic three-year plan, which outlines the strategic vision and associated goals for the cybersecurity of our global operations. The plan is regularly updated with new initiatives that align with technology innovations and changes in the threat landscape, and is reviewed and approved by the CISO and the Audit & Risk Committee. Throughout the three-year plan term, the CISO regularly provides management with progress reports.