Adtalem Global Education Inc. 10-K Cybersecurity GRC - 2024-08-06

Page last updated on August 6, 2024

Adtalem Global Education Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-06 16:20:56 EDT.

Filings

10-K filed on 2024-08-06

Adtalem Global Education Inc. filed a 10-K at 2024-08-06 16:20:56 EDT
Accession Number: 0001558370-24-011099

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management Strategy Adtalem recognizes the importance of safeguarding sensitive information pertaining to our students, employees, institutions, and operations. Our Cyber Risk Management Framework is designed to fortify our defenses against potential cyber threats and to protect the integrity, confidentiality, and availability of critical data. Program Highlights Our program is anchored by our Enterprise Information Security Framework (“EISF”), which adheres to the guidelines set forth by the National Institute of Standards and Technology (“NIST”) 800-53 Framework. To enhance comprehensiveness, our policies also harmonize with other leading frameworks such as the ISO 27001 Standard, Family Educational Rights and Privacy Act of 1974 (“FERPA”), Payment Card Industry Data Security Standard (“PCI DSS”), Gramm-Leach-Bliley Act (“GLBA”), California Consumer Privacy Act (“CCPA”), General Data Protection Regulation (“GDPR”), and other pertinent local, state, national, and international regulations governing data privacy and information security. Our Chief Information Security Officer (“CISO”) manages Adtalem’s enterprise-wide cybersecurity program and reports to Adtalem’s Chief Financial Officer. The CISO has been responsible for assessing and managing material risks from cybersecurity threats at Adtalem since 2018. The CISO has over twenty years of information technology and cybersecurity experience, including executive leadership roles at Fortune 500 organizations within regulated sectors including financial services and healthcare. The CISO leads a team of experienced subject matter experts with focus on strategy formulation, architecture design, incident response, colleague training, risk management, and governance functions. This team includes diverse industry backgrounds spanning Financial Services, Healthcare, and Government. The CISO team is supported by a Security Operations team reporting into the Information Technology (“IT”) function. This IT team provides engineering and technical expertise. The team is further supported by a 24x7 Security Operations Center (“SOC”). Adtalem has a Cyber Incident Response Plan (“Response Plan”) that delineates the requirements of notification, classification, analysis, and communication of cybersecurity incidents based on the identified severity level. The Response Plan includes initial steps to convene a response team, contain the incident, consider insurance notification requirements, determine the type of incident and escalation, consider the communications protocol and possible disclosure requirements, and consider involving law enforcement. The Response Plan also provides for a lessons learned review to identify improvements that could be made. Adtalem’s Legal and Compliance teams also provide incident response support to the CISO and manage cybersecurity-related legal and compliance issues. Processes are in place to escalate cybersecurity incidents promptly so that decisions regarding public disclosure and regulatory reporting can be made by management in a timely manner. An integral component of Adtalem’s Response Plan is our Privacy Incident Response Plan (the “Privacy Response Plan”) which addresses privacy of our students’ records, including under the Family Education Rights and Privacy Act of 1974. The Privacy Response Plan requires annual training for our employees on how to recognize and report potential privacy incidents. We regularly conduct Cyber Incident Response Plan (the “Incident Response Plan”) tabletop exercises, including simulations of malware and ransomware attacks. Our IT environment and cybersecurity-related controls are reviewed by our internal audit function and external third parties. We sponsor third-party assessments, including cyber risk reviews and penetration testing, to evaluate our cybersecurity program independently. Adtalem subjects its systems to penetration testing to identify potential exposures, ensuring that our infrastructure maintains an acceptable level of cyber risk. In addition, Adtalem leverages third-party experts to enhance its cybersecurity program and Incident Response Plan. Our organization has not identified or discovered any cybersecurity threats over the past three fiscal years that have materially impacted or are reasonably likely to materially impact our business strategy, operations, or financial condition. Expenses related to cybersecurity incidents have been immaterial. Our year-round cybersecurity awareness program mandates training for all system users, covering essential topics such as safeguarding sensitive information, identifying phishing attempts, securing mobile devices, and understanding the risks associated with artificial intelligence (“AI”) platforms. Recognizing the importance of third-party risk, our strategic sourcing protocols mandate detailed cybersecurity assessments for potential third-party suppliers. New engagements with third parties are contingent upon affirmative evaluations or adherence to risk mitigation/acceptance protocols. Contracts with third parties include provisions for breach notification, investigation, root cause analysis, and remediation. We maintain a cybersecurity insurance policy covering costs that we may incur in connection with incidents. Our policy limits are commensurate with the size and the nature of our operations. However, Adtalem may incur expenses and losses related to a cyber incident that are not covered by insurance or are in excess of our insurance coverage. Governance Cybersecurity is acknowledged as an important enterprise risk at Adtalem. Our Audit and Finance Committee (“AFC”), comprised entirely of independent directors, is responsible for oversight of risks from cybersecurity threats. The Chair of our AFC has received a CERT certificate in Cybersecurity Oversight from Carnegie Mellon University in partnership with the National Association of Corporate Directors. Our CISO briefs the AFC on cybersecurity matters, including the evolving threat landscape and Adtalem’s threat mitigation efforts, four times a year. At each quarterly meeting, the Chair of our AFC also briefs the full Board on cybersecurity matters discussed at AFC meetings. Cybersecurity risks are also reviewed and discussed with the AFC and the full Board as part of our annual enterprise risk management (“ERM”) assessment. In February 2024, our full Board reviewed and discussed best practices for cybersecurity and cybersecurity disclosures with an external third party. The subsequent Board discussion included a focus on the cyber threat landscape, responses to cyberattacks, risks posed by third-party vendors, and best practices to address cyber risks.

Company Information