Cushman & Wakefield plc - (CWK)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has established a cybersecurity program intended to protect our information assets and those information assets of our clients that come under our control. Our cybersecurity risk management processes include technical security controls, monitoring systems, operational processes and policies, and management oversight to assess, identify and manage risks from cybersecurity threats. We have implemented risk-based controls to protect our information, information systems and business operations. We have adopted security-control principles and standards based on the National Institute of Standards and Technology Cybersecurity Framework (NIST), other recognized global standards and client contractual requirements, as applicable. We strive to evaluate and invest in technology, personnel and infrastructure to maintain cybersecurity measures in line with our risk exposure and to address the ever-changing threat, technology and regulatory landscape.
We maintain a cybersecurity program that includes physical, administrative, and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent, detect and timely and effectively respond to, and as necessary, recover from, cybersecurity incidents. Through our cybersecurity risk management program, we have established operational processes to address issues including monitoring and patching of vulnerabilities, regularly updating of our information systems, and evaluating new countermeasures made to defend against an evolving landscape of threats. This process is overseen by the Audit Committee of our Board.
In addition, we periodically engage third-party consultants and providers to assist us in assessing, testing, enhancing and monitoring our cybersecurity risk management programs and responding to any incidents. These third parties work in conjunction with the Company’s information security team in an effort to continuously improve our cyber risk posture. Examples of third-party actions include the engagement of a security operations center for real-time monitoring and response to incidents, risk assessments and security certifications. The Company also receives independent audits on our global cybersecurity program from industry leading vendors at least annually.
We have established a vendor risk management program, which is a cross-functional program supported by our information security, compliance and procurement teams. As part of that program, we assess the security and privacy practices of our suppliers and third-party service providers who have access to, store or process our information through ongoing risk monitoring and security assessments, in line with the cybersecurity risks associated with the products or services they provide. We provide feedback and guidance to certain vendors as needed in an effort to enhance their security posture, including when new risks or threats are identified. Additionally, we perform periodic reassessments of applicable vendors to ensure our information security control requirements continue to be met.
At Cushman & Wakefield, we believe cybersecurity awareness is important in helping prevent cyber threats. To that end, we provide annual cybersecurity awareness training and regular phishing awareness exercises to our tech-enabled employees. We monitor and assess the success rate of employees reporting phishing scams, and the results inform the development of our security trainings, systems and programs. Additionally, role-based security training is provided to employees in certain higher-risk positions (including those who handle sensitive information, technology or funds), which is tailored to the heightened cybersecurity risks they face.
We have experienced, and may in the future experience, whether directly or through our service providers or other channels, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations and reputation. Although our processes are designed to help prevent, detect, respond to and mitigate the impact of such incidents, there is no guarantee that they will be sufficient to prevent or mitigate the risk of a cyberattack or the potentially serious reputational, operational, legal or financial impacts that may result. See “Risks Related to Our Business and Operations—A material breach in security relating to our information systems could adversely affect us.” within Item 1A, “Risk Factors” in this Annual Report.
Governance
At Cushman & Wakefield, our Chief Information Security Officer (“CISO”) oversees a global information security team which is responsible for protecting the information and operations of us and our clients. Our current CISO has over 23 years of experience and leadership in the cybersecurity industry, holds a master’s degree in Information
27

Security and Assurance, and has received numerous industry certifications, including ISO-27000 Specialist, EC-Council Disaster Recovery Professional and an ISACA certification in Risk and Information Systems Control, among others. The information security team has established a security operations center and other partnerships with service providers to monitor for technology and security incidents which are actioned based on the Company’s incident response procedures.
Our Board has overall responsibility for risk oversight, with its committees assisting our Board in performing this function based on their respective areas of expertise. Our Board has delegated oversight of risks related to cybersecurity to the Audit Committee. The Audit Committee is charged with reviewing our overall guidelines, policies, processes and procedures with respect to risk assessment and risk management, including risks related to cybersecurity. Our CISO and our information security team provide more in-depth reporting on cybersecurity risks to the Audit Committee at least annually based on our established enterprise risk categories. These briefings include assessments of the threat landscape, updates on incidents, results of client security audits, and reports on our investments in cybersecurity risk mitigation. In addition, given its overall importance to the organization, our CISO also provides cybersecurity risk reporting to our Board on at least an annual basis as well as from time to time as needed.
Our CISO meets regularly with members of our senior management, including our executive officers. Executives also frequently attend meetings of our Audit Committee and our Board and are therefore able to hear the cybersecurity updates presented at those meetings.
Our information security team also participates in periodic global and regional Risk Assurance Committees to further strengthen our cybersecurity risk management activities across the Company. At these meetings, the information security team presents to members of Company leadership, including members of our internal audit team and regional and service line chief financial officers, on the current cybersecurity risk environment, including any newly identified areas of risk and updates on responses to existing risks.