|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Nasdaq’s brand and role as a critical infrastructure provider for global financial markets, and operator of The Nasdaq Stock Market, make us an attractive target for cybersecurity risks, including from international political opponents, hacktivists and ransomware or other financially motivated criminals targeting the financial sector. Our cybersecurity risks include financial and reputational damage, along with collateral damage from loss of customer confidence in our exchange, products or offerings, as applicable, potential regulatory enforcement actions or litigation, either from governmental authorities, shareholders, or other litigants, or the failure to comply with contractual breach notifications. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our business, our business strategy, our results of operations or financial condition. For further information, see “Our role in the global marketplace positions us at greater risk for a cyberattack” and “Expanded cybersecurity regulations, and increased cybersecurity infrastructure and compliance costs, may adversely impact our results of operations” in “Item 1A, Risk Factors” of this Annual Report on Form 10-K.
Our risk management and mitigation approach includes the adoption of NIST CSF and NIST 800-53 security control frameworks and adaptive ongoing threat analysis. In addition, our Information Security, or InfoSec, team reviews and conducts a risk assessment of any novel technologies Nasdaq plans to implement. Our policies and our baseline security controls incorporate robust security infrastructure with multi-layered defense systems. We have 17 System and Organization Controls Type 2, or SOC 2, certifications with respect to our information security and infrastructure. Our adaptive analysis monitors the threat landscape relevant to Nasdaq, our vendors and financial industry peers, and threats arising from geopolitical events. As the external threat landscape evolves, our information security controls are regularly evaluated, updated and enhanced to help protect against emerging risks. Additionally, we conduct extensive cybersecurity assessments of our acquired entities, both prior to acquisition and following completion of the transaction, to understand potential threats and mitigate any potential security gaps, as well as to ensure compliance with our security infrastructure and access management practices and policies.
We periodically engage external advisors to perform an independent assessment of the maturity of Nasdaq’s information security programs, and compare our programs to our financial and technology industry peers. Nasdaq’s InfoSec program has demonstrated increasing levels of maturity year-over-year for every InfoSec department.
Recommendations to further enhance our procedures and maturity ratings from these assessments are then presented to the Audit & Risk Committee.
On a periodic basis, our management team and the Board of Directors conduct tabletop exercises and simulations in cybersecurity matters with assistance from internal and outside experts. These exercises are intended to strengthen resilience and readiness with scenarios, including cybersecurity matters.
We use certain cloud-based third-party vendors for the core trading systems of certain of our exchanges and certain of our governance products and solutions. Prior to engaging such vendors, we analyze each provider’s SOC2 certifications, perform due diligence testing for information security and interoperability with our systems, and annually review the SOC2 certifications. Our security assurance and threat assessment team, within our Information Security organization, collaborates with our external threat intelligence providers to proactively review Nasdaq, and our vendors with respect to emerging threats and associated risks.For our third-party service providers, our risk assessment process evaluates the probability and potential impact of incidents related to operational errors, technology disruptions, information security breaches, workforce issues, internal and external fraud, financial actions, and legal and regulatory matters. This assessment process is part of our Supplier Risk Management program, which establishes processes for identifying, assessing, and periodically reviewing our exposure to risk through third party vendors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity is an integral part of risk management at Nasdaq. The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, and mitigation of the effect any such incidents may have on us. We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee, which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, comprise a rapid response team that would mobilize in the event of a significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Cybersecurity is an integral part of risk management at Nasdaq. The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, and mitigation of the effect any such incidents may have on us. We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee, which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, comprise a rapid response team that would mobilize in the event of a significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also includes a cybersecurity dashboard that contains information on cybersecurity governance processes, and from time to time, also includes the status of projects to strengthen internal cybersecurity, ongoing prevention and mitigation efforts, security features of the products and services we provide our customers, or the results of security events during the period. The Audit & Risk Committee also reviews and discusses recent cyber incidents affecting the industry and the emerging threat landscape.
Cybersecurity is a shared responsibility, and our goal is for all employees to be vigilant in helping to protect our organization and themselves, at all times. We routinely perform simulations and tabletop exercises, and incorporate external resources and advisors as needed, to help strengthen our cybersecurity protection and information security procedures and safeguards. All employees are required to complete annual cybersecurity awareness training and have access to continuous cybersecurity educational opportunities throughout the year. Nasdaq also maintains a cybersecurity and information security risk insurance policy, and our Nasdaq Information Security Management System conforms to ISO 27001 requirements and is ISO 27001 certified.
On an annual basis, the Information Security team reviews and updates its governance documents, including the Information Security Charter, the Information Security Policy, and the Information Security Program Plan, and then presents the revised documents to the Audit & Risk Committee for review and/or approval. Additionally, the Information Security team maintains a formal cybersecurity strategic three-year plan, which outlines the strategic vision and associated goals for the cybersecurity of our global operations. The plan is regularly updated with new initiatives that align with technology innovations and changes in the threat landscape, and is reviewed and approved by the CISO and the Audit & Risk Committee. Throughout the three-year plan term, the CISO regularly provides management with progress reports.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Cybersecurity is an integral part of risk management at Nasdaq. The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, and mitigation of the effect any such incidents may have on us. We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee, which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, comprise a rapid response team that would mobilize in the event of a significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.This regular reporting to the Audit & Risk Committee also includes a cybersecurity dashboard that contains information on cybersecurity governance processes, and from time to time, also includes the status of projects to strengthen internal cybersecurity, ongoing prevention and mitigation efforts, security features of the products and services we provide our customers, or the results of security events during the period. The Audit & Risk Committee also reviews and discusses recent cyber incidents affecting the industry and the emerging threat landscape.
|Cybersecurity Risk Role of Management [Text Block]
|We use a cross-departmental approach to assess and manage cybersecurity risk, with our Information Security; Legal, Risk and Regulatory; and Internal Audit functions presenting on key topics to the Audit & Risk Committee, which provides oversight of our cybersecurity risk. Additionally, members from these organizations, along with Finance and Accounting, comprise a rapid response team that would mobilize in the event of a significant cybersecurity incident and would analyze and evaluate the incident while also advising the executive management team. Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also includes a cybersecurity dashboard that contains information on cybersecurity governance processes, and from time to time, also includes the status of projects to strengthen internal cybersecurity, ongoing prevention and mitigation efforts, security features of the products and services we provide our customers, or the results of security events during the period. The Audit & Risk Committee also reviews and discusses recent cyber incidents affecting the industry and the emerging threat landscape.
Cybersecurity is a shared responsibility, and our goal is for all employees to be vigilant in helping to protect our organization and themselves, at all times. We routinely perform simulations and tabletop exercises, and incorporate external resources and advisors as needed, to help strengthen our cybersecurity protection and information security procedures and safeguards. All employees are required to complete annual cybersecurity awareness training and have access to continuous cybersecurity educational opportunities throughout the year. Nasdaq also maintains a cybersecurity and information security risk insurance policy, and our Nasdaq Information Security Management System conforms to ISO 27001 requirements and is ISO 27001 certified.
On an annual basis, the Information Security team reviews and updates its governance documents, including the Information Security Charter, the Information Security Policy, and the Information Security Program Plan, and then presents the revised documents to the Audit & Risk Committee for review and/or approval. Additionally, the Information Security team maintains a formal cybersecurity strategic three-year plan, which outlines the strategic vision and associated goals for the cybersecurity of our global operations. The plan is regularly updated with new initiatives that align with technology innovations and changes in the threat landscape, and is reviewed and approved by the CISO and the Audit & Risk Committee. Throughout the three-year plan term, the CISO regularly provides management with progress reports.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Global Risk Management Committee, which includes our Chair and CEO and other senior executives, assists the Board of Directors in its cybersecurity risk oversight role.
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Audit & Risk Committee receives quarterly or, if needed, more frequent reports on cybersecurity and information security matters from our Chief Information Security Officer, or CISO, and his team. The CISO has more than 25 years of experience in information technology and information security, particularly in the financial services industry, and our InfoSec organization has seasoned
members with expertise in application security; governance and compliance; program and vulnerability management; security engineering; security operations security assurance; and threat intelligence and security architecture.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef