MARSH & MCLENNAN COMPANIES, INC. - (MMC)

10-K Filing Date: February 12, 2024
Item 1C. Cybersecurity.
As a professional services firm that processes confidential and sensitive information, such as personal information, cybersecurity risk management is an integral part of our enterprise risk management strategy. Our cybersecurity risk management program has been designed based on industry standards, such as the National Institute of Standards and Technology Cybersecurity Framework and ISO/IEC:27001, and provides a framework for assessing cybersecurity risk and identifying and managing cybersecurity threats and incidents, including threats and incidents associated with our use of services, applications and products provided by third-party vendors and service providers.
Our cybersecurity risk management program is coordinated by cross-functional teams, including risk management, legal and compliance, business resiliency management and information security. These teams develop, implement and maintain our compliance policies, programs and training, business resiliency, disaster recovery and information security frameworks, solutions and procedures. They also work closely with our business, internal audit, finance and IT staff to identify, assess and mitigate risks, including those associated with our use of third-party vendors and service providers, and to monitor and take steps designed to prevent security incidents in our technology environment.
Our cybersecurity risk management framework includes (1) procedures designed to assess the data privacy and cybersecurity practices of third-party vendors and service providers (including risk assessments and contractual protections), (2) technical IT controls designed to manage risks associated with cybersecurity incidents (such as
32


multifactor authentication and requirements for VPN or private channel access to our systems), and (3) formal policies and procedures designed to address cybersecurity incidents. Our formal policies and procedures designed to address cybersecurity incidents include steps for verifying and assessing the severity of a cybersecurity incident, identifying the source of a cybersecurity incident (including whether it is associated with a third-party service provider) and implementing cybersecurity countermeasures and mitigation strategies. Additionally, we have procedures for informing senior management and our Board of Directors of potentially material cybersecurity incidents. We also periodically engage third-party security consultants to assess our cybersecurity program and to perform penetration testing on our security environment and controls. In addition, cybersecurity training is provided to all newly hired colleagues and then at least annually for all colleagues. We also conduct regular ongoing cybersecurity awareness campaigns and phishing tests and provide training in response to such tests as appropriate.
Our Board of Directors has overall oversight responsibility for the Company’s risk management and receives updates from management throughout the year on cybersecurity matters and other material risks facing the Company. Additionally, the Audit Committee regularly reviews the Company’s policies and practices with respect to risk assessment and risk management, including cybersecurity risks, and reports to the full Board of Directors on a regular basis. The Audit Committee is responsible for overseeing the Company’s enterprise risk management policies and processes, including discussing with management the Company’s major risk exposures and the steps that have been taken to monitor and control such exposures, including those arising from cybersecurity risks.
Management is responsible for identifying, assessing and managing material cybersecurity risks on an ongoing basis. Management’s efforts include establishing processes designed to ensure that potential cybersecurity risks are monitored, putting in place mitigation and remedial measures and implementing and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Information Security Officer (CISO), who reports to our Chief Information Officer (CIO). Our CIO has significant expertise and over a decade of experience working in technology. Our CISO has over twenty years of experience working in cybersecurity and maintains a Certified Information Systems Security Professional certification. Our CISO and CIO receive reports from our cybersecurity team and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our cybersecurity team is comprised of experienced information systems security professionals and information security managers with many years of experience and various security certifications.
Management, including the CIO and CISO, regularly reviews with the Board of Directors and the Audit Committee the Company’s cybersecurity programs, material cybersecurity risks and mitigation strategies and provides updates on notable developments in the cybersecurity threat landscape. Additionally, management follows a risk-based escalation process to notify the Audit Committee outside of the cycle of regular updates when an emerging risk or material issue is identified, such as a potentially significant cybersecurity threat or incident.
In 2023, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company, including with respect to our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity threat or incident. For more information about these risks, please see “Risk Factors – Cybersecurity, Data Protection and Technology Risks” in this annual report on Form 10-K.
33