LPL Financial Holdings Inc. - (LPLA)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We maintain an information security program (the “Program”) to help manage material risks and cybersecurity threats to our business, operations and assets. As part of our Program, we maintain policies, procedures and standards that outline the Company’s expectations, guidelines and structured approach to managing cybersecurity risks. We leverage established security frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework, as guides to organize, assess and improve our Program. In addition, our employees are required to complete a cybersecurity and privacy training program each year, which is supplemented with additional awareness efforts, including phishing campaigns and informational articles.
We operate a security operation center to ingest threat intelligence, monitor for cybersecurity threats and coordinate incident response resources. In the event of a cybersecurity incident, the Company has developed a security incident response plan that establishes a structured approach for the Company’s response. The security incident response plan includes processes through which cybersecurity incidents are escalated based on a defined incident risk rating to business stakeholders and a security incident response team, as well as to the Company’s executive officers, which may result in engagement with management’s risk oversight committee (the “ROC”), the Board and the Audit and Risk Committee of the Board (“ARC”), as needed. To improve preparedness for a cybersecurity
30

Table of Contents
incident, we conduct tabletop exercises at least annually. These exercises are conducted by internal personnel and with assistance from third-party experts, as needed.
Cybersecurity Governance
The Program is situated within the Company’s information security department, which is comprised of multiple teams, including security operations, security architecture and engineering, technology governance, mergers and acquisitions information security, and advisor security. The information security department is led by the chief information security officer, who has primary responsibility for managing the Program. The current chief information security officer has over 20 years of experience in information security, including a lead auditor certification from the International Organization for Standardization, an international standard for information security management systems.
The Board has delegated oversight of the Program to the ARC, including oversight of the Company’s cyber- and technology-related risks and the steps management has taken to identify, assess, monitor, and manage those risks. In addition, the Board has established a reporting structure and cadence related to oversight of the Program, which includes respective oversight responsibilities for the Board, the ARC and management risk committees, including the Technology Risk Committee, the Operational Risk Oversight Committee and the Risk Oversight Committee. Each of the Board and the ARC receive staggered periodic reports on the Program’s effectiveness and progress on at least an annual basis.
The assessment, identification and management of cybersecurity-related risks are integrated into the Company’s overall Enterprise Risk Management (“ERM”) process. Cybersecurity risk is included among the significant residual risks identified during the Company’s assessment of business risk. This risk assessment process is used to inform the Company’s strategic planning process, and to develop action plans to appropriately address and manage risk. It is also used to focus our Board and its committees on the most significant risks to our Company. In addition, the enterprise risk function has established foundational frameworks for assessing, monitoring and overseeing the Company’s risks, including risks from cybersecurity threats. This includes reporting on issues, risk events or incidents and emerging risks to applicable risk committees to provide monitoring of key risk exposures.
Engagement of Third Parties
We engage third-party subject matter experts and consultants to conduct evaluations of our security controls, including, but not limited to, penetration testing, maturity assessments or consulting on our response to emerging threats. Results of these evaluations are used to help determine priorities and initiatives to improve the overall Program. As necessary, we also engage third-party experts and consultants to assist with the incident response process to augment our internal security operation center team.
We use a third-party risk performance management program to evaluate cybersecurity risk for third-party service providers. Vendor cybersecurity controls are then assessed to determine if the vendor’s control environment meets the Company’s standards. Vendors are also assessed on a periodic ongoing basis according to their risk classification.
We have not identified any cybersecurity incidents that individually, or in the aggregate, have materially affected or are reasonably likely to materially affect the Company. Regardless, we recognize cybersecurity threats are ongoing and evolving, and there can be no guarantee that we will not be subject to a cybersecurity incident that has a material effect on our business. Please consult the “Risks Related to Our Technology” section within Part I, “Item 1A. Risk Factors” for more information about the risks associated with cybersecurity.