CBRE GROUP, INC. - (CBRE)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We recognize the importance of developing, implementing and maintaining cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of data. We have integrated cybersecurity risk management into our broader risk management framework. Our risk management team works with our digital & technology organization to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
Our cybersecurity program is focused on the following areas:
•Governance: We leverage multiple cybersecurity frameworks (e.g., ISO 27001 and NIST CSF) and regulatory requirements to form our Information Security Management System (ISMS), which is defined through policies and standards. Policies are applicable to all employees globally. These policies are reviewed periodically to ensure they remain relevant. For additional information regarding governance of our cybersecurity program, see the sections below entitled “Board Oversight of Cybersecurity Risks” and “Management’s Role in Assessing and Managing Cybersecurity Risks.”
•Technical Safeguards: We deploy technical and procedural measures to protect our technology and data. Protection measures include network firewalls, network intrusion detection and prevention, penetration testing, vulnerability assessments and remediation processes, threat intelligence, anti-malware and access controls, plus data loss prevention and monitoring.
•Security Awareness / Training: All employees are required to adhere to our Standards of Business Conduct, which identifies an employee’s responsibility for information security. We provide annual cybersecurity training for all employees, as well as enhanced role-specific information security training for certain employees. In addition to this training, security awareness articles are disseminated periodically throughout the year. We also sponsor a “Cyber Security Awareness Month” in October each year and conduct regular phishing detection and response exercises.
•Incident Response Plans: We maintain and update incident response plans that address the life cycle of a cyber-incident and routinely evaluate the effectiveness of such plans. Incident response plans focus on cyber risk issues, including detection, response and recovery; cyber threats, with a focus on external communication and legal compliance; and breach simulations and penetration testing through internal and external exercises. Each year, we engage a third-party expert to oversee a cybersecurity incident response exercise to test pre-planned response actions from our incident response plan and to facilitate group discussions regarding the effectiveness of our cybersecurity incident response strategies and tactics.
•Third-Party Suppliers and Service Providers: We conduct periodic vendor security reviews and risk assessments for prospective and current third-party technical suppliers and service providers. Vendor security reviews evaluate numerous key security controls and the outputs of these reviews are used as part of business decisions regarding procurement and to assess a vendor’s overall security posture relative to a defined set of security criteria.
•Certifications: Our security program is audited on an annual basis by several independent groups including an accredited certification body, leading accounting firms and institutional clients.
•Experts: We engage a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program. Our collaboration with these third-parties includes periodic audits, threat assessments and consultation on security enhancements.
Risks from Cybersecurity Threats
While we are subject to ongoing cybersecurity threats, we do not believe that the risks from these threats have materially affected, or are reasonably likely to materially affect the company, including our business strategy, results of operations or financial condition. For additional information regarding risks from cybersecurity threats, see “Item 1A. Risk Factors—Risks Related to our Information Technology, Cybersecurity and Data Protection” in this Annual Report.
22
Board Oversight of Cybersecurity Risks
Our Board of Directors (Board) is responsible for the oversight of our risk management program and regularly reviews information regarding our most significant strategic, operational, financial, legal and compliance risks, including cybersecurity risks. The Board delegates its oversight of cybersecurity risks to the Audit Committee; however, the Board reviews risks and mitigation plans through direct presentations and discussions with management as well as through receipt of committee chair reports at each regularly scheduled Board meeting.
The Audit Committee is responsible for evaluating and overseeing the management of risks related to information technology, which includes cybersecurity and data security risks. The Audit Committee receives quarterly reports from our Chief Information Security Officer (CISO) regarding cybersecurity and data security matters and related risk exposures. The Audit Committee Chair regularly updates the Board on such matters and the Board also periodically receives reports from management directly. Our Board escalation protocols require material cybersecurity incidents or data breaches to be reported to the Board on a real-time basis.
Management’s Role in Assessing and Managing Cybersecurity Risks
Our CISO is responsible for setting the strategy and communicating cybersecurity risks. Our CISO’s team is also responsible for defining policies, standards, architecture and processes for cybersecurity globally. With over 28 years of experience in the field of cybersecurity, our CISO brings a wealth of expertise to his role. His background includes extensive experience as an enterprise CISO.
Our CISO, in conjunction with other digital & technology leaders, implement and oversee processes for the regular monitoring of our information systems. This includes escalation protocols to identify, assess and escalate cyber incidents. We also deploy security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, our CISO is equipped with a defined incident response plan. Our CISO meets quarterly with our risk management team and provides quarterly reports to the Audit Committee.