MSCI Inc. - (MSCI)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy
We recognize the importance of identifying, assessing and managing material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; violation of data privacy or cybersecurity laws and other litigation; legal and regulatory risk; and reputational risks. We have an enterprise-wide information security program designed to secure our technology infrastructure, networks, data, products and services, and we have implemented several processes, technologies and controls to aid in our efforts to identify, assess and manage related risks. Our Chief Information Security Officer (“CISO”) manages this program, in collaboration with our business and corporate teams.
To identify and assess material risks from cybersecurity threats, our enterprise risk management (“ERM”) program considers cybersecurity risks alongside other company risks as part of a quarterly and ongoing process designed to identify, assess and manage risk exposures over the short-, intermediate- and long-term. In addition, our management-level Information and Technology Risk Oversight Committee (“ITROC”), led by our CISO, and including senior leaders such as our President and COO, CFO and General Counsel, among others, provides oversight relating to cybersecurity and technology-related risks that may present significant impacts to our operations, clients, reputation and financial position, and the considerations of the ITROC are fully incorporated into our overall ERM framework. Our CISO is also a member of the Company’s Disclosure Committee and reports to the Disclosure Committee on a quarterly basis on any major cybersecurity incidents.
We also have cybersecurity specific policies, standards and procedures, and our cybersecurity program has been developed based on industry standards, including the U.S. National Institute of Standards and Technology (“NIST”) cybersecurity framework and International Organization for Standardization (“ISO”) information security standards. Our information security management system has achieved ISO 27001 certification. To provide for the resilience of critical data and systems, to maintain regulatory compliance, to manage our material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents, we regularly undertake the below listed activities:
24x7x365 security operations monitoring of our systems, networks and services to detect and act on weaknesses and potential intrusions;
Regular internal and external security audits and penetration tests by third-party security vendors;
Testing of new products and services to identify potential security vulnerabilities before release;
Regular network and endpoint monitoring;
Periodic red- and purple-team assessments from third-party service providers;
Business resiliency planning with disaster recovery and business continuity testing;
Role-based access controls to identify, authenticate and authorize individuals to access systems based on their job responsibilities;
Protection, including encryption, for the secure communication of sensitive data;
Monitoring of emerging data protection laws and implementation of changes to our processes designed to comply therewith;
Regular review of policies and standards related to cybersecurity;
At least annual security awareness training and testing of our employees;
Regular review of critical third-party security practices;
31

Tabletop exercises to simulate a response to a cybersecurity incident and to use the findings to improve our processes and technologies;
A cross-functional approach to addressing cybersecurity risk, with participation from Technology, Risk, Legal, Compliance, Privacy and Internal Audit functions; and
Cybersecurity risk insurance to provide protection against potential losses arising from a cybersecurity incident.
Our IT risk program also includes an incident response plan that provides procedures for how we detect, respond to and recover from cybersecurity incidents, which include processes designed to triage, assess severity, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we regularly engage with assessors, consultants, auditors and other third parties, including by annually having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our client or employee data or our systems. Cybersecurity considerations affect the selection and oversight of our third-party service providers. Although we perform diligence on third parties that have access to our systems, networks, data or facilities that house such systems, networks or data, and we monitor cybersecurity threat risks identified through such diligence, there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks and other assets owned or controlled by third parties. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
In the last three fiscal years we have not identified any material cybersecurity incidents and have not identified any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition, and the expenses we have incurred from any cybersecurity incidents over the last three fiscal years were immaterial. Furthermore, we have not been penalized or paid any amount under an information security breach settlement in the last three fiscal years. There can be no guarantee that we will not experience such an incident or incur such expenses in the future. For more information on our cybersecurity risks, see “Technology Risks” included as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors (“Board”) and management.
The Audit and Risk Committee (the “Audit Committee”) of our Board is responsible for the oversight of risks from cybersecurity threats. On a quarterly basis, our CISO updates the Audit Committee on the Company’s IT risk program, including an overview of risks and trends, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and cybersecurity threat developments, as well as the steps management has taken to respond to these topics. This quarterly update is also made available to the full Board, and the Chair of the Audit Committee informs the Board of any key updates during quarterly reports to the Board. Members of the Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related events and to discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity risks are also considered during Board and Committee discussions of important matters such as enterprise risk management, operational and strategic planning, business continuity planning, mergers and acquisitions, reputation management and other relevant matters. The Board also conducts an annual education session on cybersecurity trends and risks.
Our cybersecurity risk management processes, which are discussed in greater detail above, are led by our CISO, who has over 20 years of work experience relating to cybersecurity, including at major financial institutions and consulting firms, involving the management of information security and the development of cybersecurity strategy, as well as relevant degrees and certifications, including holding a Bachelor of Science degree in Electrical and Computer Engineering. Our CISO oversees a team of approximately 50 professionals charged with the on-going management of our cybersecurity risk and strategy. These employees are informed about, and monitor the prevention, mitigation, detection, and remediation of, cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our ITROC, incident response plan and other processes. Our cybersecurity team includes managers that have expertise with cybersecurity, as demonstrated by prior work experience, possession of a cybersecurity certification or degrees or other cybersecurity experience. As detailed above, these members of management and management-level committees report to the Audit Committee about cybersecurity threat risks, among other cybersecurity-related matters, at least quarterly.

32