JOHN WILEY & SONS, INC. 10-K Cybersecurity GRC - 2024-06-26

Page last updated on July 16, 2024

JOHN WILEY & SONS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-26 15:48:26 EDT.

Filings

10-K filed on 2024-06-26

JOHN WILEY & SONS, INC. filed a 10-K at 2024-06-26 15:48:26 EDT
Accession Number: 0000107140-24-000114

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Wiley is committed to maintaining robust cybersecurity practices to safeguard our operations, data, and stakeholders’ interests. We monitor our cybersecurity landscape and adapt our strategies and governance practices to mitigate risks in this rapidly evolving area. Wiley adopted the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF), as a guide for its cybersecurity program to establish, and maintain a continuous improvement process for identifying, assessing, and managing cyber risks and cyber-related threats. The framework’s key domains of identify, protect, detect, respond, recover and governance encompass specific controls to be established and maintained by an organization. Wiley’s controls are monitored and tested on a continuous basis by an external third-party to assess the effectiveness of our cyber program. We maintain a cybersecurity risk management program that is designed to identify, assess, manage, and mitigate cybersecurity risks and provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers. To secure our technology environment, our organization leverages the latest software and security capabilities with a defense-in-depth and layered strategy. We deploy endpoint detection and response, network anomaly detection, and multi-factor authentication across most of our environment. We engage with various third-party consultants as well as utilize various threat intelligence services to assist in our oversight and to identify risks. We require employees with access to our information systems, including all corporate employees and consultants, to undertake annual data protection and cybersecurity training and ongoing phishing simulation exercises. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe that any cybersecurity incident experienced by the Company has materially affected or is reasonably likely to materially affect Wiley, including our business strategy, results of operations or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors.” Governance Our Board is responsible for the overall oversight of our enterprise risk management. The Board receives regular updates on the key risks to the organization on a quarterly basis. The Board has delegated oversight of cybersecurity risks to the Audit Committee.The Audit Committee receives quarterly cybersecurity updates from the Company’s Chief Information Security Officer (CISO), which includes updates on the Company’s cybersecurity policies and strategies, cyber risks and threats, the status of projects designed to continuously improve the Company’s information security systems, assessments of the Company’s security program, employee training and awareness programs, emerging threat landscape and engagement with external cybersecurity experts and advisors, as needed. 26 Index The Company also holds an annual cybersecurity educational session and updates both the Audit Committee and the Digital Product and Technology Committee, which oversees the Company’s digital product and services and technology strategies, initiatives and investments. The annual session is dedicated to the Enterprise Security Compliance and Data Protection program, which features perspectives on the status of Wiley’s Cybersecurity Program, including related policies, procedures and practices and emerging trends in the cybersecurity space from the Company’s CISO complemented by an outside expert. Management’s Role Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation or remediation measures and maintaining cybersecurity programs. Risk mitigation strategies and key performance indicators are defined, and tracked, as part of the quarterly internal reporting. The Enterprise Security, Compliance and Data Protection team consists of subject matter experts in the field on Information Security, Risk Management Compliance and Data Protection. Our Security, Compliance and Data Protection teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures, and regularly report to our CISO. Our CISO is part of the senior management team and regularly updates the Audit Committee on the company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. The Security, Compliance and Data Protection team is led by the CISO who has 25 years in business risk management and cybersecurity and reports to the Chief Information Officer (CIO) who has over 25 years in information technology and security roles. The Security, Compliance and Data Protection team has established processes and procedures that guide and enable continuous monitoring, detection, prevention, mitigation, and remediation of cybersecurity incidents. These processes are carried out using various security platforms tools, capabilities and strategies including tests of our information security program, tabletop exercises, penetration and vulnerability testing, disaster recovery (DR) simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. Incident Response and Management teams utilize procedures that identify escalation paths when security events are identified. Incident priorities dictate escalation of events and how they are reported up from an Incident Commander up to the executive leadership team within Wiley as well as to the Board. Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. The threat landscape is constantly changing and will continue to as new technologies, such as AI, evolve. 27 Index

Company Information