Managing Risk & Ensuring

Business Continuity

Our Board of Directors is responsible for overseeing ICE's risk management process, which includes management of general operational risks, as well as particular risks facing our various businesses. With the assistance of our Audit and Risk Committees and our Subsidiary Boards, the Board oversees that our assets are properly safeguarded, that appropriate financial and other controls are maintained, and that our business is conducted prudently and in compliance with applicable laws, regulations and our corporate governance guidelines.

We have an Enterprise Risk Management team, led by the Chief Corporate Risk Officer. The team includes regional Chief Risk Officers that oversee each business unit: clearing houses, exchanges, trade repositories and the data and benchmark services.

We employ a three-lines model to enterprise risk management, a concept endorsed by the Institute of Internal Auditors. This framework helps ensure strong redundancies and preparation.

The first line is comprised of management and is responsible for the day-to-day operation of the business and the associated risks
The second line serves an oversight and challenge function from a risk perspective and includes our Enterprise Risk Management, Legal & Compliance, Financial Controls, Human Resources and Information Security Assurance teams
Internal Audit is the third line and serves to provide an independent check and additional assurances that risks are anticipated and mitigated

Cyber

ICE ensures both the physical and digital security of our markets, clearing houses and data through industry-leading security technology and processes. Our Information Security Department consists of diverse and skilled teams that work to protect confidential data and systems from unauthorized access, misuse, disclosure, destruction, modification or disruption.

Controls include:

Detailed information security policies, reviewed at least annually.
Employees required to complete security awareness training upon hire and annually thereafter; training modules require employees to read and provide acknowledgement of the Corporate Information Security Policy.
Dedicated Cybersecurity team is led by Chief Information Security Officer.
Board oversight led by the Risk Committee with at least quarterly briefings from senior management.
Information security is considered a core skillset and is part of every employee's annual performance review.

Reporting a security concern can be done easily from our website here.
Internal Audit and Information Security Assurance regularly conduct tests utilizing various methods to verify compliance with written polices and to assess vulnerabilities. In addition, ICE teams are subject to examinations from multiple regulatory bodies, and commission independent penetration tests.
Service Organization Control (SOC) audits are performed annually to produce independent verification and testing of ICE controls for external parties and auditors that rely on ICE. The scope of these reports is evaluated each year and tailored in response to customer feedback and business developments. These reports are available to any customer via the TPRM Portal.

Business Continuity Planning

Our Crisis Management team handles our end-to-end response to any potential issues and regularly conducts global drills to ensure our processes are ready to be implemented. All mission-critical functions are tested for responsiveness and business continuity. Following each acquisition of a new company, this process is reviewed to ensure crisis management procedures are in place across our entire organization.

Employees are trained annually on our business continuity procedures to ensure readiness and understanding.