|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We operate in an environment where cybersecurity risk is dynamic and evolving. We are committed to appropriately managing and minimizing the impact of cybersecurity risk on the achievement of our business objectives. We view cybersecurity risk management as a fundamental business process essential to our overall success. As such, we have integrated our cybersecurity program into our comprehensive Risk Framework, which is in place to support the management and oversight of risk across our organization. The Risk Framework establishes a consistent approach for identifying, assessing, measuring, mitigating, and reporting on material risks, including cybersecurity risks. The Risk Framework is composed of process components such as risk governance, risk identification and assessment, risk measurement, risk response and remediation and risk analysis and reporting.
The general objectives for our cybersecurity program are to protect our information systems from cyber threats and to protect the confidentiality, integrity and availability of systems and information used, owned, or managed by Tradeweb and our customers. This involves a comprehensive and ongoing effort to protect against, detect, and respond to cybersecurity threats and vulnerabilities. Our cybersecurity program includes a number of components, such as:
•conducting regular risk assessments to identify potential vulnerabilities and threats;
•implementing strong cybersecurity frameworks by adopting policies, standards and guidelines derived from a combination of ISO/IEC 27001 principles, the National Institute of Standards and Technology Cybersecurity Framework and industry best practices;
•enforcing strict access control policies as appropriate;
•implementing strong encryption protocols;
•utilizing advanced threat detection systems;
•conducting regular security audits and penetration testing;
•conducting thorough security assessments of third-party vendors and service providers on an ongoing basis; and
•continuous monitoring of our and third-party systems.
As part of our cybersecurity program, we have robust incident response and business continuity plans designed to provide a framework for quick and effective remediation of cyber issues, which are tested periodically throughout the year. Additionally, we have worked to create a culture of security by providing regular cybersecurity training to employees to raise awareness about various cyber threats like phishing, social engineering, and insider threats. We provide additional targeted training to individuals responsible for managing our information systems. We also maintain cyber insurance coverage intended to mitigate certain costs associated with certain cybersecurity events.
In addition, each year, we undergo System and Organization Controls (“SOC”) 1 and SOC 2 audit reviews performed by an independent third-party firm to test our information technology systems internal controls. We also regularly engage additional assessors, auditors and service providers in connection with the implementation, assessment, enhancement and evaluation of our cybersecurity program, including our risk management processes.
We have not been a victim of a cyber attack or other cybersecurity incident that has had a material impact on us, our business strategy, results of operations or financial condition; however, we have from time to time experienced non-significant cybersecurity events, including attempted denial of service attacks, malware infections, phishing, subversion of internal security controls and other information technology events that are typical for an electronic financial services company of our size. An actual, threatened or perceived cyber attack or breach of our security could materially affect us, including our business strategy, results of operations and financial condition in many ways, including through the loss of clients or client confidence, expenditure of significant costs to repair system, network or infrastructure damages as well as to protect against future cyber attacks, security breaches or harm and potential litigation or other claims or actions, including from regulatory agencies. These risks extend to the third parties we rely on to provide certain services, including technology services, to us. Please see Part I, Item 1A. —“Risk Factors—Risks Relating to the Operation and Performance of Our Business—We rely on third parties to perform certain key functions, and their failure to perform those functions could result in the interruption of our operations and systems and could result in significant costs and reputational damage to us.” For additional information regarding risks related to cybersecurity threats, see also Part I, Item 1A. – “Risk Factors — Risks Relating to Cybersecurity and Intellectual Property Actual or perceived security vulnerabilities in our systems, networks and infrastructure, breaches of security controls, unauthorized access to confidential or personal information or cyber attacks could harm our business, reputation and results of operations” and “— Systems failures, interruptions, delays in service, catastrophic events and resulting interruptions in the availability of our platforms or solutions could materially harm our business and reputation.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We are committed to appropriately managing and minimizing the impact of cybersecurity risk on the achievement of our business objectives. We view cybersecurity risk management as a fundamental business process essential to our overall success. As such, we have integrated our cybersecurity program into our comprehensive Risk Framework, which is in place to support the management and oversight of risk across our organization.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Role of our Board of DirectorsThe Board of Directors of Tradeweb Markets Inc. exercises direct oversight of the strategic risks to the Company. The Audit and Risk Committee of the Board reviews guidelines and policies governing the process by which senior management assesses and manages our exposure to risk, including our major financial and operational risk exposures including those derived from cybersecurity risk, and the steps management takes to monitor and control such exposures. Our Board and our Audit and Risk Committee each receive periodic reports from our Chief Information Security Officer, Chief Risk Officer and Chief Administrative Officer to assess key cybersecurity risks for the Company and the measures implemented to mitigate them, as well as updates regarding changes to our cybersecurity risk profile or newly identified significant risks. In addition, the Audit and Risk Committee reports to the Board on these matters at each regularly scheduled Board meeting. The Board and Audit and Risk Committee provide feedback and recommendations accordingly.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Risk Committee of the Board reviews guidelines and policies governing the process by which senior management assesses and manages our exposure to risk, including our major financial and operational risk exposures including those derived from cybersecurity risk, and the steps management takes to monitor and control such exposures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors of Tradeweb Markets Inc. exercises direct oversight of the strategic risks to the Company. The Audit and Risk Committee of the Board reviews guidelines and policies governing the process by which senior management assesses and manages our exposure to risk, including our major financial and operational risk exposures including those derived from cybersecurity risk, and the steps management takes to monitor and control such exposures. Our Board and our Audit and Risk Committee each receive periodic reports from our Chief Information Security Officer, Chief Risk Officer and Chief Administrative Officer to assess key cybersecurity risks for the Company and the measures implemented to mitigate them, as well as updates regarding changes to our cybersecurity risk profile or newly identified significant risks. In addition, the Audit and Risk Committee reports to the Board on these matters at each regularly scheduled Board meeting. The Board and Audit and Risk Committee provide feedback and recommendations accordingly.
|Cybersecurity Risk Role of Management [Text Block]
|
Role of ManagementWe operate on a “three lines of defense” risk governance model, with partnership and communication across the three lines. The first line of defense is comprised of the business and technology managers, the second line of defense is comprised of the Compliance, Risk and Information Security teams and the third line of defense is comprised of the Internal Audit function. The second and third lines of defense focus on providing the first line of defense with advisory and assurance functions for informed and actionable risk-based decisions. The Enterprise Risk Committee (the “ERC”) is chaired by our Chief Risk Officer and includes our Chief Technology Officer, General Counsel, Chief Administrative Officer, Global Head of Enterprise Risk, Chief Information Security Officer, Head of Global Compliance, Global Head of Human Resources, Head of Internal Audit and various global heads of business lines and corporate functions. The ERC is responsible for the governance and oversight of our Risk Framework, which includes cybersecurity risks. Its responsibilities include, supervising risk mitigation strategies and their implementation, overseeing compliance and regulatory aspects, managing crises, approving risk tolerance, reviewing and approving material policy changes and evaluating the effectiveness of the organization’s risk management practices. The ERC regularly obtains reports from the Chief Information Security Officer who maintains the primary responsibility for assessing and managing the cybersecurity risks, to evaluate the principal cybersecurity risks for the Company and review strategies in place to mitigate them. The ERC meets quarterly and reports to senior management, including the Chief Executive Officer and Chief Financial Officer. Senior management provides oversight and support in aligning cyber risk management with the Company’s strategic decisions, fostering a culture of risk awareness across the organization and allocating adequate resources to support the initiatives.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Chief Information Security Officer leads a highly qualified cybersecurity team in assessing, managing and reducing material risks from cybersecurity threats to protect critical operations and delivery of service.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Information Security Officer has over 25 years of industry experience, with more than a decade of CISO experience at various financial institutions.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Board and our Audit and Risk Committee each receive periodic reports from our Chief Information Security Officer, Chief Risk Officer and Chief Administrative Officer to assess key cybersecurity risks for the Company and the measures implemented to mitigate them, as well as updates regarding changes to our cybersecurity risk profile or newly identified significant risks. In addition, the Audit and Risk Committee reports to the Board on these matters at each regularly scheduled Board meeting. The Board and Audit and Risk Committee provide feedback and recommendations accordingly.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef