SEI INVESTMENTS CO - (SEIC)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Cybersecurity risk management is an important part of our overall risk management efforts. Our industry is prone to cybersecurity threats and attacks, and we regularly experience cybersecurity incidents of varying degrees. At any given time, we face known and unknown cybersecurity risks and threats that are not fully-mitigated, and we discover vulnerabilities in our Cybersecurity Program. We continuously work to enhance our Cybersecurity Program and risk management efforts. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition.
We use a risk management framework based on applicable laws and regulations, and informed by industry standards and industry-recognized practices, for managing cybersecurity risks within our products and services, infrastructure, and corporate resources. This risk management framework is implemented through our Cybersecurity Program. Our Cybersecurity Program is designed to provide a framework for assessing the potential threats to the security and integrity of our systems, networks, databases, applications, electronic information and intellectual property and developing appropriate defenses based on these assessments. We routinely invest to develop and implement numerous cybersecurity programs and processes, including risk management and assessment programs, security and event monitoring capabilities, detailed incident response plans, and other advanced detection, prevention and protection capabilities, including practices and tools to monitor and mitigate insider threats. We regularly assess cybersecurity risks to identify and enumerate threats to us and vulnerabilities these threats can exploit to adversely impact our business operations. In some instances, we engage third parties to conduct or assist us with conducting cybersecurity risk assessments. We have developed and implemented a security infrastructure designed to ensure infrastructure and data confidentiality, integrity, and availability.
Key components of our Cybersecurity Program include, but are not limited to, the following:
•Information Security Governance: We designed what we believe are appropriate measures, policies and procedures to ensure that information and information systems are properly protected given the nature of our businesses and the size and complexity of our organization, including our reliance on third parties;
•Organization: The Information Security team, led by the Chief Information Security Officer (CISO), is responsible for implementing and managing the Cybersecurity Program with executive oversight from the Chief Executive Officer and Chief Financial Officer, as well as oversight from our Board of Directors. Our CISO has extensive cybersecurity knowledge and skills gained from over 26 years of work experience on the information security team at SEI. In addition to the CISO’s cybersecurity experience, he has certifications in risk and information systems control along with information systems auditing;
•Cybersecurity Controls: We have implemented what we believe are appropriate preventative measures to protect SEI’s infrastructure, systems, and data. These measures include network architecture segmentation, system and platform hardening, in-transit and at-rest encryption, dynamic security awareness training, regular vulnerability scanning and penetration testing, firewalls, web proxy filtering, and multifactor authentication, all of which we constantly evaluate and upgrade as we believe is needed based on our risk assessments;
•Managed Detection and Response: Our security operations center’s uninterrupted monitoring processes utilize tools such as network and host-based intrusion detection systems, endpoint detection and response technology, distributed denial of service detection and mitigation service, and centralized security and information event management (SIEM). These efforts are further supplemented by signals operations and threat hunting that provide the incident responders the ability to write custom detections to complement commercial technology controls and execute triage/analysis, threat intelligence, and response;
•Independent Audits: We are subject to industry regulatory examinations. Our internal audit function provides independent assessment and assurance on the overall operations of our Cybersecurity and Privacy Programs and the supporting control frameworks. We also engage various reputable third parties to perform independent auditing and testing as well as network and web application penetration testing;
•Risk Management Oversight: Enterprise Risk Management, through the Enterprise Risk Committee, provides independent monitoring and reporting of cybersecurity risks commensurate with our Technology Risk Program. In
27
addition, we leverage our Third Party Risk Management, Insider Threats, Business Continuity & Disaster Recovery and Information Governance programs to supplement our Cybersecurity Program; and
•Privacy Oversight: In addition to our Enterprise Risk Management functions, our Legal and Compliance team maintains a privacy risk management program to assess, manage and report privacy risks related to how we are collecting, using, sharing, and storing user data. Our Privacy team works with our Third Party Risk and Information Security teams to manage privacy-related issues.
As part of the governance and oversight of the Cybersecurity Program, regular reporting is performed for the Legal and Regulatory Oversight Committee of our Board of Directors along with SEI’s various subsidiaries’ boards of directors. The reports include cybersecurity metrics/statistics, details of relevant events, results of testing, and overview of current threats. Should any material incidents arise, those will be timely and appropriately communicated to the relevant subsidiary's board of directors.
Additional information about cybersecurity risks we face is discussed in Item 1A of Part I, “Risk Factors,” under the heading “We are exposed to data and cyber security risks,” which should be read in conjunction with the information above.