H&R BLOCK INC 10-K Cybersecurity GRC - 2024-08-15

Page last updated on August 15, 2024

H&R BLOCK INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-15 16:47:24 EDT.

Filings

10-K filed on 2024-08-15

H&R BLOCK INC filed a 10-K at 2024-08-15 16:47:24 EDT
Accession Number: 0001838862-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy To help address cybersecurity threats, we have developed a strategy and implemented a program to identify, assess, and prioritize cybersecurity risks as part of our broader ERM program. We are committed to a risk-centric, layered information security approach to secure our data, systems, and services. We prioritize our data security initiatives and processes based on our assessment of known and anticipated threats to our data security. Utilizing the National Institute of Standards and Technology (NIST) Cybersecurity Framework, we strive for continuous improvement and utilize a metrics-based approach to identify and mitigate data security risks that could potentially impact our business operations or clients. We maintain multiple levels of protection to mitigate data security risks, and we regularly test our systems to discover and address potential vulnerabilities, including without limitation: - using a multi-layered, zero-trust principled approach to secure systems; - systematic monitoring of our sites and services to detect and respond to unauthorized activity; and - regular security audits and vulnerability assessments conducted by our dedicated internal information security team, our internal auditors, and by external third parties. In addition, we engage in a broad range of activities to secure and protect the data that we obtain through our business operations including, but not limited to: - continued development and enhancement of our controls, processes, and practices designed to protect our systems, computers, software, data, and networks from attack, damage, or unauthorized access; - security and business controls to appropriately limit access to and use of personal information, including adaptive and multifactor authentication; 20 2024 Form 10-K | H&R Block, Inc. - comprehensive data protections, including encryption, to facilitate the secure storage, use, and transmission of sensitive data; - annual privacy/data security training to all employees and contractors and regular awareness and testing activities year-round regarding social engineering threats, such as phishing, for employees; - background checks on our employees, as permitted; - due diligence requirements and controls for third parties (e.g., service providers) with access to sensitive data throughout the lifecycle of the relationship; and - a dedicated global information security team that partners with all technology groups to monitor, prioritize, and remediate risks to the enterprise. Governance The Audit Committee of the Board of Directors has the primary responsibility of assisting our Board in the oversight of policies and processes pertaining to the ERM program and specifically considers risks and controls relating to, among other things, data and cybersecurity. Risks associated with cybersecurity threats are a top priority for ongoing oversight by the ERM team and the Enterprise Risk Committee. Our Chief Risk Officer oversees the activities of the Enterprise Risk Committee and, together with the Chief Information Security Officer (CISO), briefs the Audit Committee and the Board of Directors on information security risk matters as a part of regular ERM reports, with a deep dive focused on information security at least annually (or more frequently if appropriate). In addition, the Audit Committee receives regular reports on cybersecurity matters from the Chief Information Officer (CIO) and the CISO. The Board of Directors is also updated by the CIO and CISO on a periodic basis. Our CIO, who reports directly to the President and CEO, has over 30 years of leadership experience in technology-based roles across multiple industries. Our CISO, who reports directly to the CIO, has extensive cybersecurity knowledge and skills gained from over 25 years of information technology experience, with more than 15 years of Information Security specialization. Our CISO is responsible for understanding, managing, and communicating cybersecurity risks internally to our management (including the Enterprise Risk Committee on which he serves), and works closely with our Legal department to oversee compliance with legal, regulatory, and contractual security requirements. Our CISO heads the Information Security team, which is responsible for implementing, monitoring, and maintaining cybersecurity and data protection practices across our business. The Information Security team covers a wide range of cyber and information security responsibilities. Our CISO also receives reports on cybersecurity threats on an ongoing basis and regularly reviews risk management measures implemented by us to identify and mitigate cybersecurity risks. In addition to our internal capabilities, we also periodically engage external consultants, legal counsel, or other third-party advisors to assist with assessing, identifying, and managing cybersecurity risks. Material Cybersecurity Risks, Threats, and Incidents We have been, and continue to be, the subject of cybersecurity threats, and we describe how risks from these threats, if realized, are reasonably likely to materially affect us. See further discussion of these items in our Item 1 A. Risk Factors of this Form 10-K. As of the date of this report, we have not identified risks from any known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition. However, there can be no assurance that cybersecurity threats will not have a material impact on us, including our business strategy, results of operations, or financial condition, in the future.

Company Information