3 9 | T M X G R O U P S U S TA I N A B I L I T Y R E P O R T 2 0 2 4 REPORT CONTENTS ABOUT THIS REPORT SUSTAINABILITY STRATEGY SUSTAINABILITY GOVERNANCE PROSPERITY PLANET PEOPLE APPENDICES CYBERSECURITY & INFORMATION TECHNOLOGY 2024 Governance Our information security team, led by our Chief Information Security Officer (CISO), develops and manages our information security services, including cybersecurity oversight for IT and business operations, data management, application development and maintenance functions. The CISO presents cybersecurity status reports to the audit committee regularly. The audit committee also receives regular updates on security measures and processes for internally developed and externally acquired generative artificial intelligence (AI) and AI systems, third-party products, and services. The Board reviews our cybersecurity and information technology program, strategy and planning annually. Measures Our processes and networks and those of our third-party service providers, participants, and our customers may be vulnerable to information security risks, including unauthorized access, computer viruses, theft of data, denial of service attacks, and other security issues. TMX has invested significant resources and maintains robust systems to protect against the threat of security breaches to prevent or limit reputational, regulatory and legal consequences of cyber attacks. We continue to monitor for trends and respond accordingly with the adoption of strategies, technologies (technology modernization initiatives) and practices such as increasing reliance on cloud based services, to prevent or limit the impact of cyber threats, including those caused by the increasing evolution of the cyber threat landscape and the sophistication of threat actors. We maintain robust systems to protect our processes and networks from cybersecurity threats. We leverage and implement industry best practice security measures to address the cyber threat landscape, manage increased volumes, and changes in our trading, clearing, settlement and depository activities, and address customer demands for improved performance and security requirements. These measures also address protection from people who could wrongfully use our information or cause interruptions or malfunctions in our operations which could damage the integrity of our markets and data provision. In addition, our employees are exposed to quarterly phishing tests and must complete an annual information security awareness training and quiz. We conduct the following periodic threat and risk assessments: application security; asset and information management; end user device security; human resources security; network security; physical and environmental security; privacy; IT operations management; access control; server security. The increasing use of AI, both by threat actors seeking to exploit vulnerabilities and by our own employees, presents a new and evolving challenge. We have designed procedures to mitigate these risks, including those associated with the use of generative AI tools. For a full description of the cybersecurity and information technology risks of TMX Group, please refer to page 94 to 95 of our 2024 Annual Report. Artificial Intelligence TMX has established an acceptable use procedure for generative AI. The procedure outlines the processes and actions required to implement the Information Security Acceptable Use Policy with respect to the use of generative AI. Employees are prohibited from using any non-TMX approved GenAI tools and technology for business purposes. All authorized uses of GenAI for TMX business purposes are specified in the GenAI procedure. Employees are required to use the GenAI tools authorized only for the prescribed use cases and subject to any limitations specified in the Approved GenAI List. This procedure is used in conjunction with the TMX Information Security Acceptable Use Procedure.
RkJQdWJsaXNoZXIy MjgzMzQ=