FRANKLIN RESOURCES INC 10-K Cybersecurity GRC - 2024-11-12

Page last updated on November 12, 2024

FRANKLIN RESOURCES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-12 14:07:56 EST.

Filings

10-K filed on 2024-11-12

FRANKLIN RESOURCES INC filed a 10-K at 2024-11-12 14:07:56 EST
Accession Number: 0000038777-24-000206

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize the importance of assessing, identifying and managing material risks from cybersecurity threats. Our cybersecurity program focuses on (i) identification of and protection from cybersecurity risks, (ii) detection and analysis of cybersecurity events, (iii) response to and recovery from cybersecurity incidents, and (iv) education and awareness. Under our program, designated personnel are responsible for: - assessing the severity of a cybersecurity incident and associated threat; - containing the threat; - remediating the threat, including recovery of data and access to systems; - analyzing the reporting obligations associated with the incident; and - performing post-incident analysis and program improvements. Our cybersecurity team is led by our Chief Security Officer (“CSO”) or the CSO’s delegee partnering with our risk, technology, legal, compliance, privacy, human resources, and other applicable business teams. Identification and Protection. Our cybersecurity program has established processes to identify and categorize cybersecurity threats and vulnerabilities as part of our risk identification process, pursuant to which we regularly seek to obtain, monitor, assess and respond to evolving threat and vulnerability information. Information about threats and vulnerabilities generally originates from multiple sources, including, but not limited to, government, information-sharing organizations, industry threat intelligence sources, and third parties. The identification of risks is supported through various security controls and testing to help minimize exposure to reported cybersecurity threats and vulnerabilities. These security controls include, but are not limited to, penetration testing, compromise assessments, vulnerability scanning, and various additional internal and external security audits and assessments. In addition, we maintain a third-party risk management program that includes an initial and periodic cybersecurity assessment on critical vendors’ security posture and controls. Detection and Analysis . Cybersecurity incidents may be detected through a variety of means, which include, but are not limited to, automated event-detection notifications or similar technologies which are monitored by our security operations team, as well as notifications from employees or third-party providers. Once a cybersecurity incident is identified, including third-party cybersecurity events, our incident response team investigates the incident, determines the nature of the event and assesses the severity of the event and sensitivity of any compromised data. Response and Recovery . In the event of a cybersecurity incident, our initial focus is to contain the cybersecurity incident as quickly as possible consistent with our incident response plan. Once a cybersecurity incident is contained, we focus on remediation and recovery activities which depend on the nature of the cybersecurity incident. We have relationships with third-party providers to assist with cybersecurity containment and remediation efforts, including for example forensic investigations, and incident response management. If a cybersecurity incident materially impacts us, or is expected to materially impact us, we promptly notify senior management, the Franklin Board of Directors (“Board”) and/or Franklin Audit Committee, as appropriate based on the severity of the incident. Our response plan also addresses engagement with appropriate individuals and committees with respect to disclosure determinations related to cybersecurity incidents. We review and, if necessary, update our cyber security incident response plan at least annually. Education and Awareness . Our cybersecurity education and awareness program for employees and contractors covers a wide range of cyber topics including, but not limited to, policies and procedures, business/technology roles and responsibilities, threats and vulnerabilities, data privacy, confidentiality and asset protection. Our employees and contractors are required to complete mandatory initial onboarding and annual cybersecurity trainings, supplemented by other periodic cyber-related testing and training. Governance Our Board is responsible for the oversight of our cybersecurity risk management program. The Board has delegated to the Franklin Audit Committee oversight responsibility regarding cybersecurity risks. Our CSO reports directly to our Chief Risk and Transformation Officer, each of whom has extensive experience in information security and risk management. The Board and/or Audit Committee receive(s) a report on cybersecurity matters, including threats, events and program enhancements, at least annually. We update our cybersecurity policies at a minimum annually and benchmark our program to applicable cybersecurity standards and frameworks. We are not aware of any cybersecurity threats or incidents that have materially impacted us during the fiscal year ended September 30, 2024, or that are reasonably likely to materially affect our business, including our business strategy, results of operations or financial condition. We routinely face risks of cybersecurity incidents, whether through attempted or actual: cyber-attacks or cyber intrusions, ransomware and other forms of malware, computer viruses, attachments to emails, phishing, extortion or other scams. Although we make efforts to maintain the security and integrity of our systems, these systems and the proprietary, confidential and personal information that resides on or is transmitted through them are subject to the risk of a cybersecurity incident or disruption, and there can be no assurances regarding the effectiveness of our security efforts and measures or those of our third-party providers who have access to, transmit, or store such data. For additional information regarding our cybersecurity risks, see our risk factors under Item 1A in Part I of this Annual Report.

Company Information