PRICE T ROWE GROUP INC - (TROW)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity.
Technology is a key component of our business operations, and cybersecurity is a significant consideration for the firm. T. Rowe Price has a holistic firm-wide approach to risk management including material risks from cybersecurity threats. The firm’s overall risk management activities are designed to identify, assess, report, and manage risks that could affect the firm in achieving its objectives and goals. This risk management framework operates across our business lines and integrates business operational resiliency and technology related risks such as cybersecurity threats. As part of the firm’s risk identification and assessment framework, key risks from cybersecurity threats specific to our environment are identified and assessed for adequacy of controls. Management identifies risk inherent to cybersecurity threats, estimates the significance of the risks, assesses the likelihood of their occurrence, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor those risks. Action plans may be developed for identified control issues and management is responsible for addressing these issues.
20
Page 24
Although management is responsible for the firm’s day to day cybersecurity operations, the Board of Directors oversees the firm’s cybersecurity program. The Board does not delegate this responsibility to a committee, nor does the Board identify a cybersecurity expert to consider the firm’s activities and make recommendations or provide advice to the Board. Instead, many of our directors have significant technology experience gained through their prior work experience and through their positions on other boards of directors, all of which provides the Board with insight and practical guidance in overseeing the firm’s technology and operations as well as our continuing investment in and development of our cybersecurity program.
Our Chief Executive Officer and President (CEO) has ultimate responsibility for developing strategy and overseeing execution to meet the firm’s objectives. The CEO has delegated to our Chief Operating Officer (COO) oversight of this operational execution. The COO has several leaders within the COO organization who develop and oversee the firm’s risk management, technology, and information security practices. These executive leaders play a critical role in cybersecurity risk management and strategy, as further described below.
The firm’s Chief Risk Officer (CRO) leads the Enterprise Risk program, providing the framework and tools used by all business teams across the firm, including technology, to identify, assess, and manage risks from cybersecurity threats in coordination with the firm's Chief Information Security Officer (CISO). The Enterprise Risk team provides guidance and support in identifying, assessing, and monitoring all aspects of risks from cybersecurity threats. The Enterprise Risk function conducts risk assessments for technology and cybersecurity, and coordinates with Internal Audit and Firm-wide Compliance to provide risk assurance activities.
Enterprise Risk is primarily responsible for reporting risks from cybersecurity threats to executive leadership and our Enterprise Risk Management Committee (ERMC). The ERMC supports the efforts of the CRO in providing corporate-wide oversight of our firm’s risk management efforts and provides a path for risk escalation. This committee monitors risk management activities, including cybersecurity matters, and reports periodically and more frequently as necessary, to our Board of Directors and Audit Committee. Cybersecurity risk management practices operate enterprise-wide, across T. Rowe Price legal entities, including Oak Hill Advisors (OHA). In addition, OHA has established an independent risk committee, which includes responsibilities for prompt escalation of key risks and incidents such as Cybersecurity to the T. Rowe Price CRO.
T. Rowe Price maintains documented Enterprise Incident Management and Reporting Policies and Procedures, outlining responsibilities and requirements for escalation of various types of incidents, including cybersecurity threats and incidents. Our process is designed to investigate incidents efficiently, identify root cause, communicate with the affected parties as appropriate, spot trends, and recommend improvements to mitigate risk. These procedures incorporate incident materiality determination within senior executive levels and operate firm-wide.
Global Technology and Business Unit management are also responsible for implementing internal controls to manage risks from cybersecurity threats to an appropriate level and in line with the firm’s risk appetite. Cybersecurity risks are managed across all lines of business, requiring support and participation across all levels in the organization. Within Global Technology, Enterprise Security is responsible for maintaining security policies, standards, and guidelines and routinely works with our Enterprise Risk, Compliance, Internal Audit, and other key technology and corporate stakeholders to establish security controls, enforce them, and monitor their adherence on an ongoing basis. Enterprise Security also conducts regular phishing tests and manages annual employee training focused on raising awareness, highlighting the important role our employees play in protecting the firm from cybersecurity threats. Business Continuity and Disaster Recovery programs execute regular testing across business and technology teams to demonstrate resilience. The CISO regularly reviews the cybersecurity program and strategy with various risk committees, including the ERMC, Management Committee, and the Audit Committee. This ensures risks from cybersecurity threats are properly managed and our enterprise-wide cybersecurity program is aligned with the business needs and defined risk tolerances or risk appetite.
The cybersecurity program includes regular assessment on the effectiveness of the firm's risk mitigation strategies. Assessments include third-party validation to help ensure our internal controls and safeguards adhere to security and compliance standards. We annually undergo external examinations, such as Sarbanes-Oxley relating to financial reporting and SOC 1 and/or SOC 2 for key operational Business Units. In addition, we periodically engage with third-party partners to perform an independent evaluation of our cybersecurity program as well as external network penetration testing. This complements our internal assessments, such as application security testing, vulnerability management, and penetration testing. The firm participates in various industry threat intelligence information sharing forums to stay current on evolving cyber risks and threats. The results of these assessments are discussed with and reviewed by the Audit Committee, and shared with the Board, annually.
20
Page 25
Within the firm's global Procurement department, governance processes are established, including a formal Supplier Risk Management program overseeing third-party relationships based on documented risk thresholds. The Supplier Risk Management program performs regular assessments, including information security reviews. Ongoing monitoring is performed through our centralized risk function as well as by business line supplier managers to raise new threats or weaknesses associated with a third-party service. In accordance with our Enterprise Incident Management Policy, any third-party cybersecurity incident is reported and evaluated for further review and impact analysis.
We have previously been the target of cybersecurity attacks and expect such attempts to continue, potentially with more frequency or sophistication. Although no cybersecurity incident during the year ended December 31, 2023 resulted in an interruption of our operations, known losses of critical data or otherwise had a material impact on the firm’s strategy, financial condition or results of operations, the scope and impact of any future incident cannot be predicted. See “Item 1A. Risk Factors–Technology Risks” for more information on how a material cybersecurity incident may impact us.