JABIL INC 10-K Cybersecurity GRC - 2024-10-28

Page last updated on October 28, 2024

JABIL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-28 17:03:24 EDT.

Filings

10-K filed on 2024-10-28

JABIL INC filed a 10-K at 2024-10-28 17:03:24 EDT
Accession Number: 0001628280-24-043960

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are committed to reducing the risk of cybersecurity compromise, either intentional or unintentional, to our customers, employees, and company proprietary information resources. Our cybersecurity risk management program is integrated into our global enterprise risk management framework, which is designed to help identify, monitor, and mitigate key strategic risks. Our enterprise risk assessment, which includes data protection and cybersecurity, is developed annually to provide insight into the risks with the greatest potential to impact Jabil’s strategy and our financial goals. Key components of our cybersecurity risk management program include the following: - Cybersecurity policies . We leverage cybersecurity industry-standard frameworks and insights from internal assessments to develop policies to guide the use of our information assets (for example, business information and information resources such as mobile phones, computers, and workstations), access to specific intellectual property or technologies, and protection of personal information. The Company has also established written policies and procedures to help ensure that cybersecurity incidents are quickly assessed and addressed. - Risk assessment. The Company uses routine risk assessment processes to identify and prioritize cybersecurity risks, employ operational controls to mitigate risks, report incidents, and analyze trends, and employ a corrective action process to address nonconformities. Key risk indicators are used across all business functions to monitor and measure our cybersecurity risk exposure. Through this cross-functional approach, management identifies potential operational and strategic risks which could impact our strategy and financial goals. - System safeguards. We implement industry-standard technical safeguards that are designed to protect our information systems, operations, and sensitive information from cybersecurity threats. By collaborating with internal stakeholders across the company, we integrate foundational cybersecurity principles throughout our organization, including multiple layers of cybersecurity defenses and restricted access based on business need. We frequently conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests. - Security Awareness and Training. Cybersecurity education contributes to safety of the Company, customer data, and employee sensitive data and assets. Our employees undergo regular training on information security, cybersecurity awareness, and the protection of confidential information. This training is designed to promote an understanding of the behaviors and technical requirements needed to safeguard Company data. Additionally, we provide ongoing education to help employees recognize and report suspicious activity. In addition, higher risk employees undergo routine anti-phishing testing and training. - Assessments. We periodically assess and test our cybersecurity policies, standards, processes, and practices that are designed to address threats. This includes monthly metrics review, threat modeling, vulnerability testing, and other exercises to evaluate our cybersecurity effectiveness. We regularly engage third parties to assist with our assessments and testing. Where appropriate, we adjust our cybersecurity policies, standards, processes, and practices accordingly based on internal and external assessment and testing results. - Engagement of third-party service providers . The Company utilizes third-party cybersecurity experts to assess the Company’s cybersecurity risks and conduct penetration testing to measure our cybersecurity risk management program relative to industry-standard frameworks. The Company has established a standardized process for assessing and managing potential risks associated with the engagement of third-party service providers that request access to the Company’s information systems. - Incident response. The Cybersecurity Incident Response Team (“CIRT”), deploys, maintains, and monitors various tools and processes designed to safeguard against and detect cybersecurity incidents that may occur. As part of our incident response program, members of management are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. In accordance with established written policies and procedures, escalation protocols are used to provide information to, and engage with, executive management, the Cybersecurity Committee and the Board, throughout the incident response process. The CIRT reviews these controls regularly, and makes enhancements as needed to incorporate lessons learned, updated industry standards, and any new or revised legal requirements. As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Additional information about our cybersecurity risks is discussed in “Disruptions to our information systems, including security breaches, losses of data or outages, and other security issues, have and could in the future adversely affect our operations” in Item 1A. Risk Factors, which should be read in conjunction with the information above. Governance The Board oversees risk management directly and through its committees. Generally, the Board oversees risks that may affect the business of Jabil as a whole, including operational matters. The Cybersecurity Committee (“the Committee”) assists the Board in fulfilling its oversight responsibilities with regard to the Company’s cybersecurity programs and risks, including the cybersecurity practices, procedures, and controls management uses to identify, assess, and manage the Company’s key cybersecurity programs and risks, to protect the confidential intellectual property information and data of the Company and its customers and to comply with applicable data protection laws and regulations. The Committee of the Board meets quarterly. At each meeting, it receives reports from the Chief Information Security Officer (“CISO”). As part of its role in overseeing risk management, the Committee periodically reports to the Board regarding briefings provided by management and advisors as well as the Committees’ own analysis and conclusions regarding cybersecurity risks faced by the Company. The Committee will review with management and the Board, and advise them regarding the following matters, as necessary: - Management’s implementation of cybersecurity programs, policies, and procedures and management’s actions to safeguard their effectiveness; - The effectiveness of the Company’s cybersecurity programs and its practices for identifying, assessing, and mitigating cybersecurity risks across all business functions; - The Company’s controls to prevent, detect and respond to cyber-attacks or information or data breaches involving the Company; - Cyber crisis preparedness, incident response plans, and disaster recovery capabilities; - Reports and presentations received from management and the Company’s advisors regarding the management of cybersecurity programs and risks, including protection of confidential intellectual property, information, and data. The CISO leads the Corporate Information Security organization which oversees the security posture of Jabil’s data, networks, and resources. The CISO is responsible for notifying and providing updates on cybersecurity incidents to the Chief Information Officer (“CIO”). The CIO is responsible for overseeing global IT operations and digital transformation across the Company and leads the strategic direction on IT polices to safeguard company and client assets against cybersecurity threats. The CISO has over 38 years of experience working in cybersecurity, risk management, and infrastructure technology and network architecture. Our CISO holds industry-recognized cybersecurity certifications, including Certified Information Systems Security Professional (CISSP) certification. The CIO has over 32 years of experience focused on corporate strategy formulation and implementation, IT management including cybersecurity, and business and process transformation.

Company Information