Cboe Global Markets, Inc. - (CBOE)

10-K Filing Date: February 16, 2024
Item 1C.Cybersecurity

We maintain policies, procedures and controls designed to safeguard against cybersecurity incidents by protecting the confidentiality, integrity, availability and reliability of our systems, networks and information. These policies, procedures and controls are subject to monitoring, auditing, and evaluation practices, pursuant to our Enterprise Risk Management program, which is supported by a three-line defense strategy that includes, the business lines, the Enterprise Risk Management Committee, the Risk Management and Information Security Department, the Compliance Department and the Internal Audit Department. Further, we have developed and conduct at least annually cybersecurity and data privacy training programs for our employees and our third-party consultants who have access to our systems. At least annually, we also conduct simulations, tabletop exercises, independent third-party cybersecurity penetration assessments, and response readiness tests. In addition, the information technology systems of our self-regulatory organizations are subject to periodic reviews, audits, and inspections by regulatory authorities. We also conduct diligence on cybersecurity practices in connection with our overall risk assessment when evaluating expansion into new regions, strategic opportunities, and new products.

We engage assessors, consultants, auditors and other third parties in connection with developing and evaluating our overall risk management framework. Additionally, our internal audit team periodically engages third parties to co-source internal audits of our information security processes. We strive to utilize best practices in our information security management and follow applicable industry standards.

60

In support of our risk management framework, we maintain a vendor management policy and program to manage third-party risk. Embedded in our vendor management policy is a defined process to assess the risks related to new vendors. Vendors deemed to be high risk are re-assessed annually. These assessments include security questionnaires and reviews of Service Organization Controls (SOC) Reports, where applicable. Cboe uses a third-party service to help monitor the security posture of our vendors that process and/or store confidential Cboe information.

We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over 20 years of experience leading information security programs including 12 years of experience in cybersecurity consulting, building efficient and sustainable cybersecurity programs for large, complex and heavily regulated global enterprises. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 23 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.

Our incident response team is responsible for identifying potential cybersecurity incidents and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company’s written Incident Response Plan. Cybersecurity incidents are tracked pursuant to our incident monitoring processes defined within the Incident Response Plan. Potential cybersecurity incidents may also be reported to our Disclosure Committee to determine if further action and/or public disclosure is required. We have also put in place a vulnerability management program through which our systems are routinely scanned to help identify vulnerabilities and track remediation activities.

The Board recognizes that our business depends on the confidentiality, integrity, availability, performance, security, and reliability of our data and technology systems and devotes time and attention to the oversight of cybersecurity and information security risk. In particular, the Board’s Risk Committee receives recurring updates and reports on information security-related topics from senior management, including from the Company’s Chief Compliance Officer, Chief Risk Officer, and Chief Information Security Officer. More specifically, the Risk Committee receives recurring presentations from senior management on cybersecurity, including architecture and resiliency, incident management, business continuity and disaster recovery, significant information technology changes, data privacy, insider threats, physical security, information related to third-party cyber assessments and risks associated with the use of third party service providers. The Risk Committee also reviews and approves any changes to the related information security and privacy program charter. Further, summaries of the proceedings from prior Risk Committee meetings are provided to the Board on a routine basis.

We have experienced in the past, and we expect to continue to experience, cybersecurity threats and events of varying degrees. However, we are not aware of any of these threats or events having a material impact on our business or our business strategy, results of operations or financial condition results to date. We cannot assure you that we will not experience future threats or events that may be material. Please also refer to the risk factors above for additional information.

61