|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Risk Management and Strategy
Nasdaq’s brand and role as a critical infrastructure provider
for global financial markets, the operator of The Nasdaq
Stock Market and exchanges, central securities depositories
and a clearinghouse in Europe, and the provider of
information and technology services to banks, international
market operators and exchanges, publicly-traded companies
and other high-profile customers make us an attractive target
for cybersecurity threat actors and attacks. These include
adversarial nations and state-sponsored actors, hacktivists
and ransomware deployers or other financially motivated
criminals. Impacts of a cybersecurity incident may include:
financial and reputational damage, resulting from the loss of
customer confidence in our company, exchange, products or
offerings; potential regulatory enforcement actions; or
litigation, either from governmental authorities, shareholders,
or other litigants, including customers asserting our failure to
comply with contractual obligations. To date, no risks from
cybersecurity threats, including as a result of any previous
cybersecurity incidents, have materially affected or are
reasonably likely to materially affect our business, our
business strategy, our results of operations or financial
condition. For further information, see “Our role in the global
marketplace positions us at greater risk for a cyberattack” and
“Expanded cybersecurity regulations, and increased
cybersecurity infrastructure and compliance costs, may
adversely impact our results of operations” in “Item 1A, Risk
Factors” of this Annual Report on Form 10-K.
Our risk management and mitigation approach includes the
adoption of NIST CSF and NIST 800-53 security control
frameworks and adaptive ongoing threat analysis. In addition,
our Information Security, or InfoSec, team reviews and
conducts a risk assessment of any novel technologies Nasdaq
plans to implement. Our policies and our baseline security
controls incorporate a security infrastructure with multi-
layered defense systems. We have 18 System and
Organization Controls Type 2, or SOC 2, certifications with
respect to our information security and infrastructure. Our
adaptive analysis monitors the threat landscape relevant to
Nasdaq, our vendors and financial industry peers, and threats
arising from geopolitical events. As the external threat
landscape evolves, our information security controls are
regularly evaluated, updated and enhanced to help protect
against emerging risks. Additionally, we conduct extensive
cybersecurity assessments of our acquired entities, both prior
to acquisition and following completion of the transaction, to
understand potential threats and mitigate risks from any
potential deviations between the acquired company’s
practices and Nasdaq’s standards, until we can align the
acquired company’s security infrastructure and access
management practices and policies with ours.
We periodically engage external advisors to perform an
independent assessment of the maturity of Nasdaq’s
information security programs, and compare our programs to
our financial and technology industry peers. Nasdaq’s
InfoSec program has demonstrated increasing levels of
maturity year-over-year for every assessed program
component. Recommendations to further enhance our
procedures and maturity ratings from these assessments are
then presented to our executive management team and the
Audit & Risk Committee.
On a periodic basis, our management team and the Board of
Directors conduct tabletop exercises and simulations on
cybersecurity matters, with assistance from internal and
outside experts. These exercises are intended to strengthen
resilience and readiness to address different cybersecurity
incident scenarios.
We use certain cloud-based third-party vendors for the core
trading systems of certain of our exchanges and certain of our
governance products and solutions. Prior to engaging such
vendors, we analyze each provider’s SOC2 certifications,
perform due diligence testing for information security and
interoperability with our systems, and annually review the
SOC2 certifications. Our security assurance and threat
assessment team, within our Information Security
organization, collaborates with our external threat
intelligence providers to proactively review Nasdaq, and our
vendors with respect to emerging threats and associated risks.
For our third-party service providers, our risk assessment
process evaluates the probability and potential impact of
incidents related to operational errors, technology
disruptions, information security breaches, workforce issues,
internal and external fraud, financial actions, and legal and
regulatory matters. This assessment process is part of our
Supplier Risk Management program, which establishes
processes for identifying, assessing, and periodicallyreviewing our exposure to risk through third party vendors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity is an integral part of risk management at
Nasdaq. The Board of Directors appreciates the rapidly
evolving nature of threats presented by cybersecurity
incidents and is committed to the prevention, timely
detection, and mitigation of the effect any such incidents may
have on us. Our Global Risk Management Committee, which
includes our Chair and CEO and other senior executives,
assists the Board of Directors in its cybersecurity risk
oversight role.
We use a cross-departmental approach to assess and manage
cybersecurity risk, with our Information Security; Legal, Risk
and Regulatory; and Internal Audit functions presenting on
key topics to the Audit & Risk Committee, which provides
oversight of our cybersecurity risk. Additionally, members
from these organizations, along with Finance and
Accounting, Global Technology and Corporate
Communications, comprise a rapid response team that would
mobilize in the event of a potentially significant
cybersecurity incident and would analyze and evaluate theincident while also advising the executive management team.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Governance
Cybersecurity is an integral part of risk management at
Nasdaq. The Board of Directors appreciates the rapidly
evolving nature of threats presented by cybersecurity
incidents and is committed to the prevention, timely
detection, and mitigation of the effect any such incidents may
have on us. Our Global Risk Management Committee, which
includes our Chair and CEO and other senior executives,
assists the Board of Directors in its cybersecurity risk
oversight role.
We use a cross-departmental approach to assess and manage
cybersecurity risk, with our Information Security; Legal, Risk
and Regulatory; and Internal Audit functions presenting on
key topics to the Audit & Risk Committee, which provides
oversight of our cybersecurity risk. Additionally, members
from these organizations, along with Finance and
Accounting, Global Technology and Corporate
Communications, comprise a rapid response team that would
mobilize in the event of a potentially significant
cybersecurity incident and would analyze and evaluate the
incident while also advising the executive management team.
Our Audit & Risk Committee receives quarterly or, if
needed, more frequent reports on cybersecurity and
information security matters from our Chief Information
Security Officer, or CISO, and his team. The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also
includes a cybersecurity dashboard that contains information
on cybersecurity governance processes, and from time to
time, also includes the status of projects to strengthen internal
cybersecurity, ongoing prevention and mitigation efforts,
security features of the products and services we provide our
customers, or the results of security events during the period.
The Audit & Risk Committee also reviews and discusses
recent cyber incidents affecting the industry and the emerging
threat landscape.
Cybersecurity is a shared responsibility, and our goal is for
all employees to be vigilant in helping to protect our
organization and themselves, at all times. We routinely
perform simulations and tabletop exercises, and incorporate
external resources and advisors as needed, to help strengthen
our cybersecurity protection and information security
procedures and safeguards. All employees are required to
complete annual cybersecurity awareness training and have
access to continuous cybersecurity educational opportunities
throughout the year. All employees also have access to
Nasdaq’s Information Security Hotline, which is staffed on a
24/7 basis to respond to any potential incident; we have a
strict non-retaliation policy that applies to any reporting of
concerns related to our business. Nasdaq also maintains a
cybersecurity and information security risk insurance policy,
and our Nasdaq Information Security Management System
conforms to ISO 27001 requirements and is ISO 27001
certified.
On an annual basis, the Information Security team reviews
and updates its governance documents, including the
Information Security Charter, the Information Security
Policy, and the Information Security Program Plan, and then
presents the revised documents to the Global Risk
Management Committee and Audit & Risk Committee for
review and/or approval. Additionally, the Information
Security team maintains a formal cybersecurity strategic
three-year plan, which outlines the strategic vision and
associated goals for the cybersecurity of our global
operations. The plan is regularly updated with new initiatives
that align with technology innovations and changes in the
threat landscape, and is reviewed and approved by the CISO
and the Audit & Risk Committee. Throughout the three-year
plan term, the CISO regularly provides management with
progress reports.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Cybersecurity is an integral part of risk management at
Nasdaq. The Board of Directors appreciates the rapidly
evolving nature of threats presented by cybersecurity
incidents and is committed to the prevention, timely
detection, and mitigation of the effect any such incidents may
have on us. Our Global Risk Management Committee, which
includes our Chair and CEO and other senior executives,
assists the Board of Directors in its cybersecurity risk
oversight role.
We use a cross-departmental approach to assess and manage
cybersecurity risk, with our Information Security; Legal, Risk
and Regulatory; and Internal Audit functions presenting on
key topics to the Audit & Risk Committee, which provides
oversight of our cybersecurity risk. Additionally, members
from these organizations, along with Finance and
Accounting, Global Technology and Corporate
Communications, comprise a rapid response team that would
mobilize in the event of a potentially significant
cybersecurity incident and would analyze and evaluate theincident while also advising the executive management team.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Audit & Risk Committee receives quarterly or, if
needed, more frequent reports on cybersecurity and
information security matters from our Chief Information
Security Officer, or CISO, and his team. The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also
includes a cybersecurity dashboard that contains information
on cybersecurity governance processes, and from time to
time, also includes the status of projects to strengthen internal
cybersecurity, ongoing prevention and mitigation efforts,
security features of the products and services we provide our
customers, or the results of security events during the period.
The Audit & Risk Committee also reviews and discusses
recent cyber incidents affecting the industry and the emergingthreat landscape.
|Cybersecurity Risk Role of Management [Text Block]
|We use a cross-departmental approach to assess and manage
cybersecurity risk, with our Information Security; Legal, Risk
and Regulatory; and Internal Audit functions presenting on
key topics to the Audit & Risk Committee, which provides
oversight of our cybersecurity risk. Additionally, members
from these organizations, along with Finance and
Accounting, Global Technology and Corporate
Communications, comprise a rapid response team that would
mobilize in the event of a potentially significant
cybersecurity incident and would analyze and evaluate the
incident while also advising the executive management team.
Our Audit & Risk Committee receives quarterly or, if
needed, more frequent reports on cybersecurity and
information security matters from our Chief Information
Security Officer, or CISO, and his team. The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
This regular reporting to the Audit & Risk Committee also
includes a cybersecurity dashboard that contains information
on cybersecurity governance processes, and from time to
time, also includes the status of projects to strengthen internal
cybersecurity, ongoing prevention and mitigation efforts,
security features of the products and services we provide our
customers, or the results of security events during the period.
The Audit & Risk Committee also reviews and discusses
recent cyber incidents affecting the industry and the emerging
threat landscape.
Cybersecurity is a shared responsibility, and our goal is for
all employees to be vigilant in helping to protect our
organization and themselves, at all times. We routinely
perform simulations and tabletop exercises, and incorporate
external resources and advisors as needed, to help strengthen
our cybersecurity protection and information security
procedures and safeguards. All employees are required to
complete annual cybersecurity awareness training and have
access to continuous cybersecurity educational opportunities
throughout the year. All employees also have access to
Nasdaq’s Information Security Hotline, which is staffed on a
24/7 basis to respond to any potential incident; we have a
strict non-retaliation policy that applies to any reporting of
concerns related to our business. Nasdaq also maintains a
cybersecurity and information security risk insurance policy,
and our Nasdaq Information Security Management System
conforms to ISO 27001 requirements and is ISO 27001
certified.
On an annual basis, the Information Security team reviews
and updates its governance documents, including the
Information Security Charter, the Information Security
Policy, and the Information Security Program Plan, and then
presents the revised documents to the Global Risk
Management Committee and Audit & Risk Committee for
review and/or approval. Additionally, the Information
Security team maintains a formal cybersecurity strategic
three-year plan, which outlines the strategic vision and
associated goals for the cybersecurity of our global
operations. The plan is regularly updated with new initiatives
that align with technology innovations and changes in the
threat landscape, and is reviewed and approved by the CISO
and the Audit & Risk Committee. Throughout the three-year
plan term, the CISO regularly provides management with
progress reports.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Audit & Risk Committee receives quarterly or, if
needed, more frequent reports on cybersecurity and
information security matters from our Chief Information
Security Officer, or CISO, and his team. The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Audit & Risk Committee receives quarterly or, if
needed, more frequent reports on cybersecurity and
information security matters from our Chief Information
Security Officer, or CISO, and his team. The CISO has more
than 25 years of experience in information technology and
information security, particularly in the financial services
industry, and our InfoSec organization has seasoned
members with expertise in application security; governance
and compliance; program and vulnerability management;
security engineering; security operations security assurance;
and threat intelligence and security architecture.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef