INTUIT INC. 10-K Cybersecurity GRC - 2024-09-04

Page last updated on September 4, 2024

INTUIT INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-04 18:26:27 EDT.

Filings

10-K filed on 2024-09-04

INTUIT INC. filed a 10-K at 2024-09-04 18:26:27 EDT
Accession Number: 0000896878-24-000039

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY RISK MANAGEMENT AND STRATEGY We host, collect, process, use, and retain large amounts of sensitive and personal data across an array of our own and third-party information systems. To help protect these systems and data, we have implemented a robust information security program that includes numerous administrative, technical, and physical safeguards. We strive to evolve our cyber defenses to help minimize impacts from cyber threats. In general, we seek to address cybersecurity risks through a cross-functional approach. This approach focuses on protecting business operations and preserving the confidentiality, integrity, and availability of systems and data by preventing and mitigating cybersecurity threats, as well as effectively responding to cybersecurity incidents when they occur. Our information security program includes: - Having designated information security personnel, led by our Chief Information Security and Fraud Prevention Officer (CISO), who has decades of relevant experience and has previously served as Chief Information Officer. The CISO is supported primarily by our Cybersecurity, Compliance, Risk, and Fraud Team (CyberCRAFT), which consists of approximately 490 professionals as of July 31, 2024. In addition to bringing their current expertise to their roles, CyberCRAFT professionals have the ability to participate in our specialized training and development programs to further enhance their cybersecurity skillsets and cross-train on related capabilities. The CISO works closely with the Company’s internal legal team to oversee compliance with legal, regulatory and contractual security requirements; - Risk assessments designed to help identify and prioritize significant cybersecurity risks. Our process for identifying and assessing material risks from cybersecurity threats includes incorporation of an internally developed threat catalog and our tracking of trends for areas such as vulnerability management, our leverage of technical standards and guidance, input from our participation and collaboration with law enforcement and government initiatives, and our internal and vendor-supported threat intelligence initiatives. The cybersecurity risk assessment operates alongside our broader overall enterprise-wide risk assessment and management process, and key cybersecurity risks are presented to the Audit and Risk Committee in a manner that helps frame cybersecurity risks as part of a broader risk context; Intuit Fiscal 2024 Form 10-K 29 Tables of Contents - Regular testing and assessments of our systems and controls to evaluate the information security program maturity and effectiveness using cybersecurity frameworks (such as ISO 27001, PCI DSS, and SOC 2) and to identify and address potential vulnerabilities-and as appropriate, we adjust our policies, standards, and processes based on testing and assessment results; - A vulnerability management program to determine the in-scope systems, patch systems based on criticality, and disclose potential vulnerabilities; - A cybersecurity incident response plan and scenario-specific playbooks for responding to various types of cybersecurity incidents; - Business continuity and disaster recovery plans to support more effective response and recovery efforts in the event of a significant cybersecurity incident or disruption; - The use of external service providers and consultants to assess or monitor the environment or otherwise assist with aspects of our cybersecurity controls; - Commercially available and customized security technologies and security and business controls to limit access to and use of such sensitive data; - A security awareness and training program for our employees and contractors, with role-based training for certain personnel and positions; and - A third-party risk management framework designed to monitor and address cybersecurity risks from various third parties (including vendors, service providers, and other contractors) that includes diligence regarding the third party’s cybersecurity capabilities and additional monitoring of certain third parties based on the results of diligence. In addition, we have established standard contractual terms and conditions regarding cybersecurity applicable to third parties, as well as further downstream parties, that may be tailored to the use case and sensitivity of any data or business processes involved. Additionally, we maintain cybersecurity insurance which may cover some or all of the potential losses from a cybersecurity incident. During the last fiscal year, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected Intuit, including its business strategy, results of operations, or financial condition. However, we continue to face ongoing and increasing cybersecurity risks which may materially affect us in the future. Additional information on the cybersecurity risks is discussed in " Risk Factors" in Item 1A of Part I of this Annual Report, including without limitation the risk that " Security incidents, improper access to or disclosure of our data or customers’ data, or other cyberattacks on our systems could harm our reputation, business, and financial condition. " GOVERNANCE Management is responsible for the day-to-day administration of the Intuit’s cybersecurity policies, processes, practices, and risk management. The Audit and Risk Committee of our Board of Directors provides primary oversight of cybersecurity risks and the Company’s efforts to mitigate those risks. MANAGEMENT OVERSIGHT As part of management oversight, our CEO receives monthly updates from the CISO and representatives from CyberCRAFT. These updates provide a recurring overview of cybersecurity trends and status updates (e.g., security events, fraud detection, IT roadmap progress, follow-up from prior assessments, security awareness exercise results), as well as a more focused analysis on select cybersecurity topics for the month. Examples of prior topics include: recent cybersecurity legislation, cybersecurity incidents affecting external entities, and trends in cybersecurity controls and adoption. As part of our incident response processes, incidents are classified based on the incident’s characteristics. For certain risk-based classifications of incidents, the CEO and other members of the executive leadership team are also informed and contribute as part of our incident response processes. BOARD OVERSIGHT Our full Board of Directors provides ultimate oversight for the cybersecurity program, in addition to other significant risks of Intuit. The Board of Directors has delegated to the Audit and Risk Committee to provide the primary oversight of cybersecurity risks. On a quarterly basis, the CISO and CyberCRAFT specialists present the Audit and Risk Committee with updates, metrics, and trends, such as the status of prior security events, existing and emerging threat landscapes, the results of audits or assessments, fraud prevention efforts, vulnerability detection and disclosure changes, and the status of projects to strengthen our security systems and improve incident readiness, and how these may affect broader enterprise risk management. Under our incident response processes’ risk-based escalation protocols, the CISO, or other management, escalates certain incidents to the chair of the Audit and Risk Committee, who may then involve the broader committee or the full Board of Directors, as appropriate. Intuit Fiscal 2024 Form 10-K 30 Tables of Contents

Company Information