Accenture plc 10-K Cybersecurity GRC - 2024-10-10

Page last updated on October 10, 2024

Accenture plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-10 06:43:59 EDT.

Filings

10-K filed on 2024-10-10

Accenture plc filed a 10-K at 2024-10-10 06:43:59 EDT
Accession Number: 0001467373-24-000278

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity 33 Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Safeguarding data and systems is one of our most important responsibilities in building and maintaining trust, not only with our people but also with our clients and other stakeholders. Our cybersecurity risk management program is integrated into our overall enterprise risk management system and is supported by controls, policies and processes implemented across the enterprise and is designed to protect our network/technical infrastructure and the data of Accenture, our clients and our people. Our internal cybersecurity team collaborates closely with our information technology team and Accenture Security, a leading provider of end-to-end cybersecurity services, including strategy, protection, resilience and industry-specific cyber services, to continually innovate security solutions intended to address the evolving threat landscape. Our security framework leverages a hybrid set of internationally recognized standards, including but not limited to, ISO 27001/27701, NIST Cyber Security Framework, CSA Security Trust and Assurance Registry, and CIS Critical Security Controls. We regularly measure our security posture and resilience through risk assessments, penetration testing and external validation conducted by third-party assessors and auditors. Threat intelligence sources, including those provided by Accenture Security, are also used to inform our security strategy, understand the threat landscape, and enable security risk and procedures to be integrated into the business. Our key strategic security programs include secure integration of acquisitions and supplier cyber risk management. We utilize systems and processes designed to oversee, identify, and reduce the potential impact of cybersecurity incidents at third-party vendors, service providers or clients. Our infrastructure vulnerability scanning and configuration compliance approach includes real-time threat detection and monitoring of threats via our security information and event management and endpoint detection and response tools to respond to security incidents at speed. We monitor for secure configuration of servers, network devices, containers and other cloud services, evaluate risks in new programs, and regularly review and strengthen our security controls. Protecting client data is a top business priority supported by our global client data protection (CDP) program. A CDP plan is developed for our clients and is designed to provide end-to-end security risk management covering physical, application, infrastructure, and data security. The CDP program also arms our project teams with tools and controls that enable them to identify and mitigate security risks over the lifecycle of a client project. Accenture leadership reviews and monitors CDP monthly metrics, which are intended to provide oversight and accountability. All Accenture people complete annual core information security and data privacy training, delivered in multiple courses throughout the year, to stay up-to-date on security practices and threats. In addition, our people in internal- and client-data-sensitive roles complete specialized, targeted security training to increase knowledge about role-specific threats, concepts and practices. These interactive learning programs are focused on strengthening foundational knowledge and responding to emerging threats. Agile and flexible, our training program has garnered industry recognition for its innovative approach and effectiveness. In the event of a cybersecurity incident, we have robust playbooks to guide our incident procedures. These procedures provide a standardized framework for responding to cybersecurity incidents and include taking action to limit and contain the spread of the incident within our environment, analyzing whether and the extent to which any data may have been compromised and conducting forensic analysis to determine severity. We also have internal and external reporting and communication plans that address reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. Once an incident is resolved, a comprehensive post-incident review process is conducted. We describe the risks from cybersecurity threats, including previous cybersecurity incidents, in Part I, Item 1A. Risk Factors - “We face legal, reputational and financial risks from any failure to protect client and/or Accenture data from security incidents or cyberattacks”. To date these risks and incidents have not had a material impact on us, including our business strategy, results of operations, and financial condition; however, there is no assurance that such impacts will not be material in the future. Cybersecurity threats are constantly expanding and evolving, becoming increasingly sophisticated and complex, increasing the difficulty of detecting and defending against them and maintaining effective security measures and protocols. Cybersecurity Governance Our enterprise risk management program is an annual and ongoing process designed to identify, assess and manage Accenture’s risk exposures over the short-, intermediate- and long-term. Our enterprise risk management program and disclosure controls and procedures are designed to appropriately escalate key risks to the Board of Directors, as well as to analyze potential risks for disclosure. As part of our Board of Directors’ role in overseeing the Company’s enterprise risk Table of Contents ACCENTURE 2024 FORM 10-K Item 1C. Cybersecurity 34 management program, the Board devotes time and attention to cybersecurity and data privacy-related risks, with the Audit Committee of the Board of Directors responsible for overseeing information technology risk exposures, including cybersecurity, data privacy and data security. The Audit Committee receives reports on cybersecurity and data privacy matters and related risk exposures from management, including our chief information security officer (“CISO”), at least twice a year and more frequently as applicable. In addition, the Audit Committee’s quarterly enterprise risk management updates include developments regarding IT security and data protection. Recent topics included evolving generative AI threats, social engineering resistance and deepfake readiness. The Audit Committee regularly updates the Board on such matters and the Board also periodically receives reports from management directly. We have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated within the company and, where appropriate, reported promptly to the Board. Our CISO leads all aspects of Accenture’s global cybersecurity program, including security operations, client data protection, cyber risk reduction strategies, incident response, cybersecurity integration of acquisitions and our industry-leading behavioral change program. Our CISO joined Accenture in 1995. Prior to being appointed CISO in 2020, he helped create Accenture’s information security capability and led the implementation of information security technology. Previously, he managed large technology transformations for Accenture and for clients in the United States, Japan and Australia. Our CISO reports to our Chief Operating Officer and is supported by a team of over 800 people with expertise in technical architecture and security operations; governance, risk and compliance; client data protection; behavioral change; and cyber incident response, many of whom hold cybersecurity certifications and possess deep technical knowledge and experience. Our information security team maintains an extensive governance network, including formal relationships with other organizations within Accenture through our Situation and Action Committee, which includes representatives from our Markets and Services and the legal, information technology, corporate services and sustainability, data privacy and business resilience services teams. In addition, our cyber incident response efforts are overseen by a cross-functional leadership team including our CISO, our General Counsel and our Chief Marketing Officer.
Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Safeguarding data and systems is one of our most important responsibilities in building and maintaining trust, not only with our people but also with our clients and other stakeholders. Our cybersecurity risk management program is integrated into our overall enterprise risk management system and is supported by controls, policies and processes implemented across the enterprise and is designed to protect our network/technical infrastructure and the data of Accenture, our clients and our people. Our internal cybersecurity team collaborates closely with our information technology team and Accenture Security, a leading provider of end-to-end cybersecurity services, including strategy, protection, resilience and industry-specific cyber services, to continually innovate security solutions intended to address the evolving threat landscape. Our security framework leverages a hybrid set of internationally recognized standards, including but not limited to, ISO 27001/27701, NIST Cyber Security Framework, CSA Security Trust and Assurance Registry, and CIS Critical Security Controls. We regularly measure our security posture and resilience through risk assessments, penetration testing and external validation conducted by third-party assessors and auditors. Threat intelligence sources, including those provided by Accenture Security, are also used to inform our security strategy, understand the threat landscape, and enable security risk and procedures to be integrated into the business. Our key strategic security programs include secure integration of acquisitions and supplier cyber risk management. We utilize systems and processes designed to oversee, identify, and reduce the potential impact of cybersecurity incidents at third-party vendors, service providers or clients. Our infrastructure vulnerability scanning and configuration compliance approach includes real-time threat detection and monitoring of threats via our security information and event management and endpoint detection and response tools to respond to security incidents at speed. We monitor for secure configuration of servers, network devices, containers and other cloud services, evaluate risks in new programs, and regularly review and strengthen our security controls. Protecting client data is a top business priority supported by our global client data protection (CDP) program. A CDP plan is developed for our clients and is designed to provide end-to-end security risk management covering physical, application, infrastructure, and data security. The CDP program also arms our project teams with tools and controls that enable them to identify and mitigate security risks over the lifecycle of a client project. Accenture leadership reviews and monitors CDP monthly metrics, which are intended to provide oversight and accountability. All Accenture people complete annual core information security and data privacy training, delivered in multiple courses throughout the year, to stay up-to-date on security practices and threats. In addition, our people in internal- and client-data-sensitive roles complete specialized, targeted security training to increase knowledge about role-specific threats, concepts and practices. These interactive learning programs are focused on strengthening foundational knowledge and responding to emerging threats. Agile and flexible, our training program has garnered industry recognition for its innovative approach and effectiveness. In the event of a cybersecurity incident, we have robust playbooks to guide our incident procedures. These procedures provide a standardized framework for responding to cybersecurity incidents and include taking action to limit and contain the spread of the incident within our environment, analyzing whether and the extent to which any data may have been compromised and conducting forensic analysis to determine severity. We also have internal and external reporting and communication plans that address reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. Once an incident is resolved, a comprehensive post-incident review process is conducted. We describe the risks from cybersecurity threats, including previous cybersecurity incidents, in Part I, Item 1A. Risk Factors - “We face legal, reputational and financial risks from any failure to protect client and/or Accenture data from security incidents or cyberattacks”. To date these risks and incidents have not had a material impact on us, including our business strategy, results of operations, and financial condition; however, there is no assurance that such impacts will not be material in the future. Cybersecurity threats are constantly expanding and evolving, becoming increasingly sophisticated and complex, increasing the difficulty of detecting and defending against them and maintaining effective security measures and protocols. Cybersecurity Governance Our enterprise risk management program is an annual and ongoing process designed to identify, assess and manage Accenture’s risk exposures over the short-, intermediate- and long-term. Our enterprise risk management program and disclosure controls and procedures are designed to appropriately escalate key risks to the Board of Directors, as well as to analyze potential risks for disclosure. As part of our Board of Directors’ role in overseeing the Company’s enterprise risk Table of Contents ACCENTURE 2024 FORM 10-K Item 1C. Cybersecurity 34 management program, the Board devotes time and attention to cybersecurity and data privacy-related risks, with the Audit Committee of the Board of Directors responsible for overseeing information technology risk exposures, including cybersecurity, data privacy and data security. The Audit Committee receives reports on cybersecurity and data privacy matters and related risk exposures from management, including our chief information security officer (“CISO”), at least twice a year and more frequently as applicable. In addition, the Audit Committee’s quarterly enterprise risk management updates include developments regarding IT security and data protection. Recent topics included evolving generative AI threats, social engineering resistance and deepfake readiness. The Audit Committee regularly updates the Board on such matters and the Board also periodically receives reports from management directly. We have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated within the company and, where appropriate, reported promptly to the Board. Our CISO leads all aspects of Accenture’s global cybersecurity program, including security operations, client data protection, cyber risk reduction strategies, incident response, cybersecurity integration of acquisitions and our industry-leading behavioral change program. Our CISO joined Accenture in 1995. Prior to being appointed CISO in 2020, he helped create Accenture’s information security capability and led the implementation of information security technology. Previously, he managed large technology transformations for Accenture and for clients in the United States, Japan and Australia. Our CISO reports to our Chief Operating Officer and is supported by a team of over 800 people with expertise in technical architecture and security operations; governance, risk and compliance; client data protection; behavioral change; and cyber incident response, many of whom hold cybersecurity certifications and possess deep technical knowledge and experience. Our information security team maintains an extensive governance network, including formal relationships with other organizations within Accenture through our Situation and Action Committee, which includes representatives from our Markets and Services and the legal, information technology, corporate services and sustainability, data privacy and business resilience services teams. In addition, our cyber incident response efforts are overseen by a cross-functional leadership team including our CISO, our General Counsel and our Chief Marketing Officer.
Item 1C. Cybersecurity 34 management program, the Board devotes time and attention to cybersecurity and data privacy-related risks, with the Audit Committee of the Board of Directors responsible for overseeing information technology risk exposures, including cybersecurity, data privacy and data security. The Audit Committee receives reports on cybersecurity and data privacy matters and related risk exposures from management, including our chief information security officer (“CISO”), at least twice a year and more frequently as applicable. In addition, the Audit Committee’s quarterly enterprise risk management updates include developments regarding IT security and data protection. Recent topics included evolving generative AI threats, social engineering resistance and deepfake readiness. The Audit Committee regularly updates the Board on such matters and the Board also periodically receives reports from management directly. We have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated within the company and, where appropriate, reported promptly to the Board. Our CISO leads all aspects of Accenture’s global cybersecurity program, including security operations, client data protection, cyber risk reduction strategies, incident response, cybersecurity integration of acquisitions and our industry-leading behavioral change program. Our CISO joined Accenture in 1995. Prior to being appointed CISO in 2020, he helped create Accenture’s information security capability and led the implementation of information security technology. Previously, he managed large technology transformations for Accenture and for clients in the United States, Japan and Australia. Our CISO reports to our Chief Operating Officer and is supported by a team of over 800 people with expertise in technical architecture and security operations; governance, risk and compliance; client data protection; behavioral change; and cyber incident response, many of whom hold cybersecurity certifications and possess deep technical knowledge and experience. Our information security team maintains an extensive governance network, including formal relationships with other organizations within Accenture through our Situation and Action Committee, which includes representatives from our Markets and Services and the legal, information technology, corporate services and sustainability, data privacy and business resilience services teams. In addition, our cyber incident response efforts are overseen by a cross-functional leadership team including our CISO, our General Counsel and our Chief Marketing Officer.

Company Information