STIFEL FINANCIAL CORP - (SF)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY

We maintain an information security program and governance framework that are designed to protect our information systems against operational risks related to cybersecurity.

Cybersecurity Risk Management and Strategy

We define information security and cybersecurity risk as the risk that the confidentiality, integrity, or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification, or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (“ERM”) program, which we use to identify, aggregate, monitor, report, and manage risks.

Our Written Information Security Program (“WISP”), which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (“CISO”), is designed to (i) ensure the security, confidentiality, integrity, and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our associates, or our clients. The WISP program is built upon a foundation of advanced security technology, employs a highly trained team of experts, and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to, and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response, and recovery capabilities. The WISP program includes our Incident Response program, which manages information security incidents involving compromises of sensitive information, and our

23


 

Security Incident Response Plan, which provides a documented framework for handling high severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills around security matters at both a technical and management level, and our associates receive annual cybersecurity awareness training.

In addition, we incorporate reviews by our Internal Audit department and reviews by external third-party experts as part of our WISP program. Our company also undergoes periodic independent third-party maturity assessments of our cybersecurity measures and controls within our WISP program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response, and drills, and are active participants in industry and government forums.

Cybersecurity risks related to third parties are managed as part of our System and Services Acquisition Policy, which sets forth the procurement, risk management, and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring, and termination. Our program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit, or destroy our information or have access to our systems may have additional security requirements, depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls. We also conduct reassessments of our third-party risk, using a risk-based approach to determine frequency. Where appropriate, the Company seeks to incorporate contractual language with third-party service providers that includes clear terms involving the collection, use, sharing, and retention of user data, as well as compliance with appropriate security terms.

While we do not believe that our business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive, and, similar to other global financial services firms, we, as well as our clients, associates, regulators, service providers, and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “Any cyber attack or other security breach of our technology systems, or those of our clients or other third-party vendors we rely on, could subject us to significant liability and harm our reputation” in “Item 1A – Risk Factors” of this Form 10-K.

 

24


 

Cybersecurity Governance

Under our information security framework, our Board and our Risk Management Committee are primarily responsible for overseeing and governing the development, implementation, and maintenance of our WISP program, with the Board designating our Risk Management Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least twice a year from our CISO or their designee. Our Risk Management Committee receives reports on cybersecurity at least four times a year, with ad hoc updates as needed. In addition, our Risk Management Committee annually approves our WISP program.

Our Operational Risk Committee (“ORC”), chaired by our CISO, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor, and report information security risks associated with our information and information systems. The ORC escalates risks to the Risk Management Committee or our Board based on the escalation criteria provided in our information security framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Management Committee and the ORC.

Our CISO leads the strategy, engineering, and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board and the ORC on our WISP program, as well as ad hoc updates on information security and cybersecurity matters. Our CISO reports directly to the Risk Management Committee. The CISO has been with the Company since 2016 and prior to this worked in a number of security and technical roles within the Federal Reserve System.