|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Marex recognizes the importance of managing cybersecurity risks and protecting information
across our enterprise. To address these priorities, data protection and cybersecurity risk management are
embedded into Marex’s operations and overall enterprise risk management framework, and shares
common methodologies, reporting channels and governance processes that apply across the risk
management program to other legal, compliance, strategic, operational, and financial risk areas.
As part of this approach, we have implemented a layered cybersecurity risk management
program intended to assess, identify, and manage cybersecurity risks.
Our cybersecurity program draws on the National Institute of Standards and Technology (NIST)
Framework, ISO 27001, and industry best practices. This does not imply that we meet any particular
technical standards, specifications, or requirements, only that we use the above standards as a guide to
help us identify, assess, and manage cybersecurity risks relevant to our business.
Key elements of our cybersecurity risk management program include but are not limited to the following:
•Risk assessments designed to help identify material risks from cybersecurity threats to our critical
systems and information;
•A security team principally responsible for managing (1) our cybersecurity risk assessment
processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•Cybersecurity awareness training of our employees, including incident response personnel, and
senior management;
•We employ a variety of tools and processes aimed at preventing, detecting, escalating,
investigating, resolving, and recovering from identified vulnerabilities and security incidents in a
timely manner. These include monitoring and detection systems, internal reporting mechanisms,
and other security controls;
•A cybersecurity incident response plan that includes procedures for responding to cybersecurity
incidents;
•We also engage independent industry-recognized service providers and consultants, where
appropriate, to assess, test, monitor or otherwise assist with aspects of our security processes
and controls
•Recognizing that third-party vendors and service providers are a critical component of our
operations, we have implemented a third-party risk management program. This program includes
cybersecurity risk assessments for vendors before onboarding and periodic evaluations
commensurate to their criticality and risk profile.
As disclosed, in January 2023, ION, the third party on whom we rely as our back-office provider,
was subject to a cyberattack, which suspended access to trade management and reporting systems. To
our knowledge, no Personal Information was lost or exfiltrated and ION implemented a number of
measures designed to prevent future cyberattacks, including Multi Factor Authentication (MFA)
enforcement for all clients and CrowdStrike.
Based on our assessment, the incident has not had a material impact or affect on (nor will it in the
future materially impact or affect) us, including our operations, business strategy, results of operations, or
financial condition. We have not identified risks from other existing cybersecurity threats that have
materially affected us, including our operations, business strategy, results of operations, or financial
condition.
We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect
us, including our operations, business strategy, results of operations, or financial condition. See “Risk
Factors – If we or our third-party providers fail to protect or IT Systems of Confidential Information this
could, among other things, limit our ability to conduct our operations and lead to legal liability, material
financial penalties, or damage to our reputation, which could materially affect our business, results of
operations, and financial condition.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity program draws on the National Institute of Standards and Technology (NIST)
Framework, ISO 27001, and industry best practices. This does not imply that we meet any particular
technical standards, specifications, or requirements, only that we use the above standards as a guide to
help us identify, assess, and manage cybersecurity risks relevant to our business.
Key elements of our cybersecurity risk management program include but are not limited to the following:
•Risk assessments designed to help identify material risks from cybersecurity threats to our critical
systems and information;
•A security team principally responsible for managing (1) our cybersecurity risk assessment
processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•Cybersecurity awareness training of our employees, including incident response personnel, and
senior management;
•We employ a variety of tools and processes aimed at preventing, detecting, escalating,
investigating, resolving, and recovering from identified vulnerabilities and security incidents in a
timely manner. These include monitoring and detection systems, internal reporting mechanisms,
and other security controls;
•A cybersecurity incident response plan that includes procedures for responding to cybersecurity
incidents;
•We also engage independent industry-recognized service providers and consultants, where
appropriate, to assess, test, monitor or otherwise assist with aspects of our security processes
and controls
•Recognizing that third-party vendors and service providers are a critical component of our
operations, we have implemented a third-party risk management program. This program includes
cybersecurity risk assessments for vendors before onboarding and periodic evaluations
commensurate to their criticality and risk profile.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to
the Group Risk Committee (the “Committee”) oversight of cybersecurity and other information technology
risks. The Committee oversees management’s implementation of our cybersecurity risk management
program.
The Committee receives quarterly reports from management on our information technology and
cybersecurity risks. In addition, management updates the Committee, where it deems appropriate,
regarding cybersecurity incidents it considers to be significant.
The Committee reports to the Board regarding its activities, including those related to
cybersecurity. The Board also receives briefings from management on our cyber risk management
program. Board members receive presentations on cybersecurity topics from our Head of Information
Security, internal security staff or external experts as part of the Board’s continuing education on topics
that impact public companies.
Our management team, including CTO, COO & CRO, is responsible for assessing and managing
our material risks from cybersecurity threats. The team has primary responsibility for our overall
cybersecurity risk management program and supervises both our internal cybersecurity personnel and
our retained external cybersecurity consultants. Our management team’s experience has over 20 years of
industry experience each.
Our management team supervises efforts to prevent, detect, mitigate, and remediate
cybersecurity risks and incidents through various means, which may include briefings from internal
security personnel; threat intelligence and other information obtained from governmental, public or private
sources, including external consultants engaged by us; and alerts and reports produced by security toolsdeployed in the IT environment.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to
the Group Risk Committee (the “Committee”) oversight of cybersecurity and other information technology
risks. The Committee oversees management’s implementation of our cybersecurity risk managementprogram.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Committee receives quarterly reports from management on our information technology and
cybersecurity risks. In addition, management updates the Committee, where it deems appropriate,
regarding cybersecurity incidents it considers to be significant.
The Committee reports to the Board regarding its activities, including those related to
cybersecurity. The Board also receives briefings from management on our cyber risk management
program. Board members receive presentations on cybersecurity topics from our Head of Information
Security, internal security staff or external experts as part of the Board’s continuing education on topics
that impact public companies.
|Cybersecurity Risk Role of Management [Text Block]
|Our management team, including CTO, COO & CRO, is responsible for assessing and managing
our material risks from cybersecurity threats. The team has primary responsibility for our overall
cybersecurity risk management program and supervises both our internal cybersecurity personnel and
our retained external cybersecurity consultants. Our management team’s experience has over 20 years of
industry experience each.
Our management team supervises efforts to prevent, detect, mitigate, and remediate
cybersecurity risks and incidents through various means, which may include briefings from internal
security personnel; threat intelligence and other information obtained from governmental, public or private
sources, including external consultants engaged by us; and alerts and reports produced by security toolsdeployed in the IT environment.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our management team, including CTO, COO & CRO, is responsible for assessing and managing our material risks from cybersecurity threats.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our management team’s experience has over 20 years of
industry experience each.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Committee reports to the Board regarding its activities, including those related to
cybersecurity. The Board also receives briefings from management on our cyber risk management
program. Board members receive presentations on cybersecurity topics from our Head of Information
Security, internal security staff or external experts as part of the Board’s continuing education on topics
that impact public companies.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef