ALLIANCEBERNSTEIN HOLDING L.P. - (AB)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
Cyber Risk Management and Strategy
We rely on digital technology to conduct our business operations and engage with our clients, business partners and employees. The technology that we, our clients, business partners and employees rely upon becomes more complex over time as do threats to our business operations from cyber intrusions, denial of service attacks, manipulation and other cyber misconduct. Information Security is an ongoing process of exercising the due care necessary to protect corporate, client and employee information and systems from unauthorized access, destruction, disclosure, disruption and modification of use.
Through a combination of security, risk and compliance resources, AB implements Information Security through a dedicated Information Security Program ("ISP") that is intended to identify, assess and manage material risks from cybersecurity threats and which includes a focus on safeguarding information and assets from cyber threats, engaging in cyber threat monitoring and responding to actual or potential cyber incidents. Our ISP is led by our Chief Information Security Officer ("CISO") who actively partners with our Chief Compliance Officer ("CCO") and Chief Risk Officer "("CRO"). Ultimately, our ISP is part of our full enterprise risk framework, which includes information technology, business continuity and resiliency, in addition to cybersecurity risk. Our ISP is coordinated with our broader risk management team, including our Chief Security Officer. Enterprise risk, including cybersecurity risk, is overseen by the Audit and Risk Committee on behalf of the Board.
Our CISO, with assistance from internal and external resources, is responsible for implementing and providing oversight of our ISP. The ISP employs a defense-in-depth strategy: an information assurance concept in which multiple layers of security controls are distributed throughout an operating environment. The concept manages risk with diverse defensive strategies, so that if one layer of defense fails, another later of defense will attempt to compensate. Our ISP features cybersecurity policies, standards and guidelines, committee governance, training, access controls and data controls. We periodically execute table top exercises as a part of our ISP program.
2023 Annual Report
27

Part I
Our ISP, together with our risk and compliance resources, proactively manage the risk of threat from cybersecurity incidents through (i) implementing protocols to take cybersecurity considerations into account in adopting and onboarding our technology resources, (ii) monitoring IT controls to better ensure compliance with cybersecurity and other related legal and regulatory requirements, (iii) assessing adherence by critical and material third parties we partner with to ensure that the appropriate risk management standards are met, (iv) ensuring essential business functions remain available during a business disruption, and (v) regularly developing and updating response plans to address potential IT or cyber incidents should they occur. Our security, risk and compliance resources are designed to prioritize IT and cybersecurity risk areas, identify solutions that minimize such risks, pursue optimal outcomes and maintain compliance standards. We also maintain an operational security function that has a real time response capability that triages potential incidents and triggers impact mitigation protocols. Additionally, we utilize third parties to conduct periodic cybersecurity assessments and our internal audit function includes certain cyber risk audits as part of its overall risk audit. We review the recommendations and findings from those assessments and audits and implement corrective and other measures as appropriate. Our cybersecurity processes rely predominantly on internal resources, but also include important third party resources for certain matters, including the aforementioned assessments as well as our continuous cybersecurity threat monitoring and initial incident reporting system.
As part of our ISP, we also perform cyber risk assessments on our critical and material third party vendors during onboarding, then periodically thereafter.
We have not had a cybersecurity incident that has materially affected, or was reasonably likely to, materially affect our business strategy, results of operations or financial condition. There are risks from cybersecurity threats that if they were to occur could materially affect our business strategy, results of operations or financial condition, including those discussed in Item 1A Risk Factors - Operations, Technology and Cyber-Related Risks although we do not currently believe that such a result is reasonably likely.
Cyber Risk Governance
The Audit and Risk Committee is responsible for assisting the Board with oversight of our enterprise risk framework, including cybersecurity, information security, information technology and business continuity and resiliency. Our CISO and other members of senior management including our General Counsel, CCO and CRO report quarterly to the Audit and Risk Committee at its regular meetings on the status of the Company's cybersecurity risk, risk management policies and risk assessment initiatives. the full Board is updated on an as needed basis. In the event of an immediate cyber threat to our business operations, our ISP would involve our General Counsel, who would promptly notify the Chairperson of the Audit and Risk Committee, as to the nature, timing and extent of the threat and our applicable contingency plans would go into effect. Our CRO, in collaboration with our CISO, is responsible for notifying the Audit and Risk Committee of world events or of other significant external events that may pose cybersecurity threats or material risks to our business continuity.
While our Board provides oversight of our cybersecurity risk environment, the ultimate responsibility for our processes for identifying, assessing and managing cybersecurity risks resides with management. Our CISO, with assistance from internal and external resources, is responsible for the implementation and providing oversight to our ISP within the organization and maintaining the appropriate level of expertise to manage and implement cybersecurity policies, programs and strategies. Our CISO has years of applied experience in actively managing cybersecurity and information security programs for large global publicly traded companies with complex and evolving information systems. Management oversight of our ISP is provided by various governance committees including the Operational Risk Oversight Committee, the Information Security Risk Oversight Subcommittee and the Financial Crimes Control Oversight Subcommittee.