CNS AR24 Digital - Book - Page 35
may disagree with certain positions we have taken, which may result in the assessment of additional taxes and could have a
material effect on our financial condition.
Item 1B. Unresolved Staff Comments
The Company has no unresolved SEC staff comments.
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity is a crucial component of our enterprise risk management program. We have implemented and maintain
various information security processes designed to identify, assess and manage material risks from cybersecurity threats to
our critical computer networks, third party hosted services, communications systems, hardware and software and our critical
data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature and
information relating to our clients and investments.
Our cybersecurity risk management function is led by our Cybersecurity Management team which is comprised of our
Chief Information Security Officer (CISO), Chief Technology Officer (CTO), members of our Information Technology (IT)
department, as well as members of our Legal and Compliance Departments. Our Cybersecurity Management team is
primarily responsible for developing, implementing and monitoring our cybersecurity program and reporting on cybersecurity
matters to senior management as well as our board of directors.
Members of our Cybersecurity Management identify and assess risks from cybersecurity threats by monitoring our
threat environment and the Company9s enterprise risk profile using various manual and automated tools as well as by: (i)
utilizing shared information about vulnerabilities and exploits from professional security organizations, reports or other
services that identify cybersecurity threats and through the use of external intelligence feeds; (ii) analyzing reports of threats
and actors; (iii) conducting periodic vulnerability scans of the Company9s IT environment; (iv) evaluating our and our
industry9s risk profile; (v) evaluating threats that are reported to us; (vi) coordinating with law enforcement concerning
threats; (vii) conducting internal and external audits of our information security control environment and operating
effectiveness; and (viii) conducting threat assessments for internal and external threats, including through the use of third
party threat assessments and vulnerability threat assessments.
We implement and maintain various technical, physical and organizational measures, processes, standards and policies
designed to manage and mitigate material risks from cybersecurity threats, including, but not limited to:
"
technical and physical safeguards: (i) real-time security information and event monitoring of systems, workstations,
servers and networks, and periodic internal and external vulnerability scans; (ii) asset management tracking and
disposal; (iii) incident detection and response; (iv) data encryption; (v) notification monitoring from Company
personnel and from third parties regarding issues and signs of potential incidents; and (vi) logical access controls
and network security controls; and
"
organizational safeguards: (i) incident response plans that address our response to a cybersecurity incident; (ii)
personnel and vendors dedicated to overseeing the Company9s cybersecurity program; (iii) periodic mandatory
employee cybersecurity training; (iv) periodic risk assessments and testing of our policies, standards, processes and
practices designed to address cybersecurity threats and incidents; (v) policies and programs such as security
standards, a vendor risk management program, a vulnerability management policy and disaster recovery and
business continuity plans; and (vi) insurance coverage dedicated to losses resulting from cybersecurity incidents.
Cybersecurity risk management is integrated into the Company9s overall enterprise risk management (ERM) process.
For example, (i) enterprise risk management-level cybersecurity risks are reviewed at least annually by our information
technology security team; (ii) internal and external penetration tests are performed to identify vulnerabilities and findings are
risk ranked based on potential likelihood and impact; and (iii) members of Cybersecurity Management report on
cybersecurity risk management and related matters to the audit committee of the board of directors, as part of their ongoing
evaluation and oversight of overall enterprise risk pursuant to non-exclusive authority delegated by the board of directors.
We use third-party service providers to assist us in identifying, assessing and monitoring material risks from
cybersecurity threats, including through penetration testing, provision of threat intelligence and continuous monitoring of our
environment. We report key findings to the audit committee of the board of directors and, if appropriate, the board of
directors and adjust our cybersecurity policies, standards, processes and practices as necessary based in part on information
provided by these assessments and engagements.
17
