|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We maintain policies, procedures and controls designed to safeguard against cybersecurity incidents by protecting the confidentiality, integrity, availability and reliability of our systems, networks and information. These policies, procedures and controls are subject to monitoring, auditing, and evaluation practices, pursuant to our Enterprise Risk Management program, which is supported by a three-line defense strategy that includes, the business lines, the Enterprise Risk Management Committee, the Risk Management and Information Security Department, the Compliance Department and the Internal Audit Department. Further, we have developed and conduct at least annually cybersecurity and data privacy training programs for our employees and our third-party consultants who have access to our systems. At least annually, we also conduct simulations, tabletop exercises, independent third-party cybersecurity penetration assessments, and response readiness tests. In addition, the information technology systems of our self-regulatory organizations are subject to periodic reviews, audits, and inspections by regulatory authorities. We also conduct diligence on cybersecurity practices in connection with our overall risk assessment when evaluating expansion into new regions, strategic opportunities, and new products.
We engage assessors, consultants, auditors and other third parties in connection with developing and evaluating our overall risk management framework. Additionally, our internal audit team periodically engages third parties to co-source internal audits of our information security processes. We strive to utilize best practices in our information security management and follow applicable industry standards.
In support of our risk management framework, we maintain a vendor management policy and program to manage third-party risk. Embedded in our vendor management policy is a defined process to assess the risks related to new vendors. Vendors deemed to be high risk are re-assessed annually. These assessments include security questionnaires and reviews of Service Organization Controls (SOC) Reports, where applicable. Cboe uses a third-party service to help monitor the security posture of our vendors that process and/or store confidential Cboe information.
We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee, Computer Security Incident Response Team, Cyber Crisis Management Team, and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
Our incident response team is responsible for identifying potential cybersecurity incidents and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company’s written Incident Response Plan. Cybersecurity incidents are tracked pursuant to our incident monitoring processes defined within the Incident Response Plan. Potential cybersecurity incidents may also be reported to our Disclosure Committee to determine if further action and/or public disclosure is required. We have also put in place a vulnerability management program through which our systems are routinely scanned to help identify vulnerabilities and track remediation activities.
The Board recognizes that our business depends on the confidentiality, integrity, availability, performance, security, and reliability of our data and technology systems and devotes time and attention to the oversight of cybersecurity and information security risk. In particular, the Board’s Risk Committee receives recurring updates and reports on information security-related topics from senior management, including from the Company’s Chief Compliance Officer, Chief Risk Officer, and Chief Information Security Officer. More specifically, the Risk Committee receives recurring presentations from senior management on cybersecurity, including architecture and resiliency, incident management, business continuity and disaster recovery, significant information technology changes, data privacy, insider threats, physical security, information related to third-party cyber assessments and risks associated with the use of third party service providers. The Risk Committee also
reviews and approves any changes to the related information security and privacy program charter. Further, summaries of the proceedings from prior Risk Committee meetings are provided to the Board on a routine basis. Additionally, in 2024, the Board, along with senior management and third-party advisors, participated in a cybersecurity ransomware tabletop exercise.
We have experienced in the past, and we expect to continue to experience, cybersecurity threats and events of varying degrees. However, we are not aware of any of these threats or events having a material impact on our business or our business strategy, results of operations or financial condition results to date. We cannot assure you that we will not experience future threats or events that may be material. Please also refer to the risk factors above for additional information.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain policies, procedures and controls designed to safeguard against cybersecurity incidents by protecting the confidentiality, integrity, availability and reliability of our systems, networks and information. These policies, procedures and controls are subject to monitoring, auditing, and evaluation practices, pursuant to our Enterprise Risk Management program, which is supported by a three-line defense strategy that includes, the business lines, the Enterprise Risk Management Committee, the Risk Management and Information Security Department, the Compliance Department and the Internal Audit Department. Further, we have developed and conduct at least annually cybersecurity and data privacy training programs for our employees and our third-party consultants who have access to our systems. At least annually, we also conduct simulations, tabletop exercises, independent third-party cybersecurity penetration assessments, and response readiness tests. In addition, the information technology systems of our self-regulatory organizations are subject to periodic reviews, audits, and inspections by regulatory authorities. We also conduct diligence on cybersecurity practices in connection with our overall risk assessment when evaluating expansion into new regions, strategic opportunities, and new products.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board recognizes that our business depends on the confidentiality, integrity, availability, performance, security, and reliability of our data and technology systems and devotes time and attention to the oversight of cybersecurity and information security risk. In particular, the Board’s Risk Committee receives recurring updates and reports on information security-related topics from senior management, including from the Company’s Chief Compliance Officer, Chief Risk Officer, and Chief Information Security Officer. More specifically, the Risk Committee receives recurring presentations from senior management on cybersecurity, including architecture and resiliency, incident management, business continuity and disaster recovery, significant information technology changes, data privacy, insider threats, physical security, information related to third-party cyber assessments and risks associated with the use of third party service providers. The Risk Committee also
reviews and approves any changes to the related information security and privacy program charter. Further, summaries of the proceedings from prior Risk Committee meetings are provided to the Board on a routine basis. Additionally, in 2024, the Board, along with senior management and third-party advisors, participated in a cybersecurity ransomware tabletop exercise.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our incident response team is responsible for identifying potential cybersecurity incidents and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company’s written Incident Response Plan. Cybersecurity incidents are tracked pursuant to our incident monitoring processes defined within the Incident Response Plan. Potential cybersecurity incidents may also be reported to our Disclosure Committee to determine if further action and/or public disclosure is required. We have also put in place a vulnerability management program through which our systems are routinely scanned to help identify vulnerabilities and track remediation activities.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee, Computer Security Incident Response Team, Cyber Crisis Management Team, and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
Our incident response team is responsible for identifying potential cybersecurity incidents and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company’s written Incident Response Plan. Cybersecurity incidents are tracked pursuant to our incident monitoring processes defined within the Incident Response Plan. Potential cybersecurity incidents may also be reported to our Disclosure Committee to determine if further action and/or public disclosure is required. We have also put in place a vulnerability management program through which our systems are routinely scanned to help identify vulnerabilities and track remediation activities.
|Cybersecurity Risk Role of Management [Text Block]
|
We engage assessors, consultants, auditors and other third parties in connection with developing and evaluating our overall risk management framework. Additionally, our internal audit team periodically engages third parties to co-source internal audits of our information security processes. We strive to utilize best practices in our information security management and follow applicable industry standards.
In support of our risk management framework, we maintain a vendor management policy and program to manage third-party risk. Embedded in our vendor management policy is a defined process to assess the risks related to new vendors. Vendors deemed to be high risk are re-assessed annually. These assessments include security questionnaires and reviews of Service Organization Controls (SOC) Reports, where applicable. Cboe uses a third-party service to help monitor the security posture of our vendors that process and/or store confidential Cboe information.
We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee, Computer Security Incident Response Team, Cyber Crisis Management Team, and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
Our incident response team is responsible for identifying potential cybersecurity incidents and communicating information regarding the nature and severity of the incident to senior management and others as required by the Company’s written Incident Response Plan. Cybersecurity incidents are tracked pursuant to our incident monitoring processes defined within the Incident Response Plan. Potential cybersecurity incidents may also be reported to our Disclosure Committee to determine if further action and/or public disclosure is required. We have also put in place a vulnerability management program through which our systems are routinely scanned to help identify vulnerabilities and track remediation activities.
The Board recognizes that our business depends on the confidentiality, integrity, availability, performance, security, and reliability of our data and technology systems and devotes time and attention to the oversight of cybersecurity and information security risk. In particular, the Board’s Risk Committee receives recurring updates and reports on information security-related topics from senior management, including from the Company’s Chief Compliance Officer, Chief Risk Officer, and Chief Information Security Officer. More specifically, the Risk Committee receives recurring presentations from senior management on cybersecurity, including architecture and resiliency, incident management, business continuity and disaster recovery, significant information technology changes, data privacy, insider threats, physical security, information related to third-party cyber assessments and risks associated with the use of third party service providers. The Risk Committee also
reviews and approves any changes to the related information security and privacy program charter. Further, summaries of the proceedings from prior Risk Committee meetings are provided to the Board on a routine basis. Additionally, in 2024, the Board, along with senior management and third-party advisors, participated in a cybersecurity ransomware tabletop exercise.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee, Computer Security Incident Response Team, Cyber Crisis Management Team, and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
We have committees, response and management teams, and dedicated positions for managing and assessing cybersecurity risk, including a Chief Information Security Officer, a Chief Risk Officer, an Enterprise Risk Management Committee, Computer Security Incident Response Team, Cyber Crisis Management Team, and a dedicated internal information security team. Our Chief Information Security Officer and Chief Risk Officer have extensive experience in the industry. Our Chief Information Security Officer has over a dozen years of experience leading information security programs including, experience in cybersecurity consulting, leading strategy and the implementation of cyber defenses for several of the top online retailers in the United States, as well as serving as Chief Information Security Officer for Cboe Digital Exchange and Cboe Clear U.S. Our Chief Information Security Officer is currently responsible for developing and executing the Company’s global security strategy and roadmap along with its long-range plan to meet industry and regional regulatory compliance requirements. We have an information security department with associates who are located around the globe. Our Chief Risk Officer’s tenure with Cboe spans 24 years, during which time he has held senior positions in information security and risk management. He is currently responsible for oversight of the Company’s risk function including the enterprise risk management, information security, privacy, vendor management, and IT asset management programs.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef