JACK HENRY & ASSOCIATES INC 10-K Cybersecurity GRC - 2024-08-26

Page last updated on August 26, 2024

JACK HENRY & ASSOCIATES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-26 13:46:30 EDT.

Filings

10-K filed on 2024-08-26

JACK HENRY & ASSOCIATES INC filed a 10-K at 2024-08-26 13:46:30 EDT
Accession Number: 0000779152-24-000079

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy In our increasingly interconnected environment, information is inherently exposed to a growing number of risks, threats, and vulnerabilities. As a provider of products and services to financial institutions, Jack Henry integrates industry-standard frameworks, policies, and procedures to securely process and store sensitive information, prioritizing the protection of our associates, clients, and their private data from the ever-evolving cyber threat environment. Jack Henry’s information and cybersecurity program is a key component of our overall enterprise risk management and is maintained by a team of diverse, highly skilled cybersecurity professionals, as well as a portfolio of investments in modern technology, including artificial intelligence and machine learning. The program safeguards Jack Henry and client confidentiality and privacy by systematically identifying, assessing, and managing material risks and cybersecurity threats through use of comprehensive cyber defense, threat and vulnerability management, and cyber intelligence. Our cybersecurity program includes continuous enterprise monitoring with well-defined and rehearsed business resilience and incident response procedures. Further, we use third-party vendors and consultants to assist in identifying and assessing cybersecurity risks. Jack Henry systems and services undergo regular reviews performed by the same regulatory agencies that review financial institutions: Federal Reserve Bank (“FRB”), FDIC, Office of the Comptroller of the Currency (“OCC”), NCUA, and the CFPB, among others. Reviews such as those by the Federal Banking Agencies (comprised of the FDIC, FRB, and the OCC) assess and identify security gaps or flaws in controls. Critical services provided to our clients are subject to annual System and Organization Controls (“SOC”) reviews by independent auditors. Our associates and contractors play a vital role in the safeguarding of systems and data. Associates and contractors complete mandatory annual security awareness training to ensure they stay abreast of the latest best practices and related cyber threats. Additionally, we conduct routine phishing exercises to help associates and contractors identify and responsibly respond to suspicious emails. Throughout the year, we target supplemental training and education to higher-risk individuals and teams. Jack Henry relies on third-party service providers to deliver services and products to our clients, and we evaluate and attempt to mitigate the cybersecurity risks associated with the use of these third-party service providers. We conduct evaluations and risk assessments of third-party service providers prior to engagement and on an ongoing periodic basis to ensure our standards for security are maintained. Our strategic risk management committees review and address any identified risks. In fiscal year 2024, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our business strategy, results of operations, or financial condition. As a large financial technology provider, we continually face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us and our business strategy, results of operations, or financial condition. Despite our efforts to identify and respond to cybersecurity threats, we cannot ensure that we will not experience material cybersecurity incidents in the future or that we have not experienced an undetected incident. For a full discussion of cybersecurity risks, see the section entitled “Risk Factors” in Item 1A. 20 Cyber Security Governance and Oversight Our Board of Directors maintains ultimate oversight over risk functions but has delegated certain oversight responsibilities for enterprise and operational risks, including cybersecurity risk, to the Board’s Risk and Compliance Committee. The Risk and Compliance Committee’s obligations include overseeing Jack Henry’s risk assessment and management programs and reviewing risk preparedness. Our Audit Committee oversees financial risks and would also be informed of a material cybersecurity incident that could potentially have a material impact on our financial statements. The Chief Information Security Officer (“CISO”) reports to the Risk and Compliance Committee and to the full Board of Directors on a quarterly basis on information security matters. Additionally, the CISO meets with the Risk and Compliance Committee at least annually to evaluate our overall security environment and organization. While the Board of Directors, through the Risk and Compliance Committee, maintains oversight for cybersecurity risks, management is primarily responsible for identifying, assessing, and managing material cybersecurity risks within our broader risk management program. Management has established the Enterprise Risk Management Committee, headed by Company executives, to monitor the governance, risk, and compliance environment for Jack Henry, which includes review of cybersecurity risk. Management has also adopted specific policies and processes to monitor cybersecurity threats and to mitigate such threats as they arise. These policies and procedures include, among other things, an incident response program, which includes professionals with diverse backgrounds and skillsets, led by our CISO. Our incident response team is designed to monitor and assess cyber and information security related incidents. Any cybersecurity incidents that meet or exceed preestablished thresholds are escalated to management to establish the scope of the threat, apply mitigation and remediation efforts, and assess the need for disclosure to clients, third-party service providers, and regulators. Our CISO, who reports directly to the Chief Risk Officer, has primary responsibility over Jack Henry’s overall information security strategy, policy, security engineering, operations, and cybersecurity threat detection and response. Our CISO has more than 20 years of technology and cybersecurity experience, including previous senior leadership roles at major financial institutions. The information security team, under the direction of the CISO, regularly monitors general cybersecurity trends and institutes preventative efforts and defensive measures to protect against cybersecurity threats.

Company Information