AFFILIATED MANAGERS GROUP, INC. - (AMG)
10-K Filing Date: February 16, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
We regularly assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices. To protect our information systems from cybersecurity threats, we use various security tools that help us identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.
We recognize the importance of protecting information assets such as the personally identifiable information of our employees, and proprietary business information regarding our Affiliates and their clients, and have adopted policies, management oversight, accountability structures, and technology processes designed to safeguard this information. All of our
17
employees are required to attest annually to our information security policies and participate in regular security awareness training to protect their information and the AMG data and systems to which they have access. These trainings also instruct employees on how to report any potential privacy or data security issues.
Our information security organization comprises internal and external resources designed to identify, protect, detect, mitigate, resolve, and recover from various threats and attacks by malicious actors. We leverage 24x7x365 monitoring tools and services to address the confidentiality, integrity, and availability of AMG assets and data. Regular internal and third-party reviews are performed on our processes and technologies to validate the effectiveness of our privacy and data security controls and safeguards. We monitor industry best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive AMG data. We also have our own fully documented proprietary security incident response plan, with defined roles and responsibilities that address notification obligations and incident response procedures in the event of a data security breach. We are dedicated to business continuity and resiliency, and have documented strategies, policies, and procedures in place to protect employee, business, Affiliate, and Affiliate client data in the event of an emergency or natural disaster.
Although we provide our Affiliates with operational autonomy in managing their businesses and may have limited involvement in the design, oversight, and maintenance of their respective technology systems and networks, we offer ongoing cybersecurity support to Affiliates through our information security program, including with respect to conducting Affiliate program assessments and assisting, as appropriate and practicable, in their identification of, and response to, an actual or suspected cybersecurity incident. Additionally, prior to any investment in a new Affiliate, we conduct a diligence review of its information security program.
We work with third-party service providers to proactively assess our information security program and provide us with an industry view of the cyberthreat landscape, in addition to monitoring and supporting our control environment and breach notification and response processes.
As of the date of this Annual Report on Form 10-K, cybersecurity threats have not materially affected and we believe are not reasonably likely to materially affect AMG, including our business strategy, results of operations, or financial condition. Refer to the risk factor captioned “Failure to maintain and properly safeguard an adequate technology infrastructure may limit our or our Affiliates’ growth, result in losses or disrupt our or our Affiliates’ businesses” in Part I, Item 1A. “Risk Factors” for more information regarding cybersecurity risks and potential related impacts on AMG.
Governance
We have a formal information security program, designed to develop and maintain privacy and data security practices to protect AMG assets and sensitive third-party information, including personal and Affiliate information. This program is governed by a committee comprising members of senior management, including our Chief Information Officer (“CIO”), which meets regularly and reports to the Board of Directors at least annually (the “Information Security Governance Committee”). Members of the Information Security Governance Committee oversee communications with the Board of Directors regarding material cybersecurity incidents and provide the Board with a summary of risks from current cybersecurity threats on a regular basis, as well as updates on management’s information security program oversight and maintenance activities, and any material changes to AMG’s information security practices and procedures. The Board of Directors is also regularly provided with cybersecurity educational sessions, including perspectives from external advisors that are invited to present on current cybersecurity topics.
We take a risk-based approach to cybersecurity and have implemented policies throughout our operations that are designed to address cybersecurity threats and our response to actual or suspected incidents. In particular, the Information Security Governance Committee is responsible for the ongoing identification and assessment of reasonably foreseeable cybersecurity threats and based on these assessments, evaluating and overseeing the implementation of safeguards for limiting such risks, including employee training and compliance, and detection and prevention mechanisms. If a cybersecurity incident occurs, the Information Security Governance Committee will assemble an incident response team responsible for the identification, remediation, and post-incident review of such incident, engage outside advisors and notify third parties as appropriate, and assess the materiality of the nature, scope, and timing of a given incident and whether public disclosure is required.
The CIO, in coordination with the Information Security Governance Committee, is responsible for leading the assessment and management of cybersecurity risks. The current CIO has over 25 years of experience in information security. The CIO reports to the Board of Directors as part of the Information Security Governance Committee’s updates discussed above and regularly communicates with the other members of the Information Security Governance Committee and senior management regarding cybersecurity risks.
18