JACOBS SOLUTIONS INC. 10-K Cybersecurity GRC - 2024-11-25

Page last updated on November 26, 2024

JACOBS SOLUTIONS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-25 06:37:16 EST.

Filings

10-K filed on 2024-11-25

JACOBS SOLUTIONS INC. filed a 10-K at 2024-11-25 06:37:16 EST
Accession Number: 0000052988-24-000065

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We maintain a cybersecurity program, designed to proactively identify, assess, manage, mitigate, and respond to cybersecurity threats. Our Cybersecurity Organization develops, implements, and maintains this program, which is documented in our global cybersecurity policy. The underlying controls of the cybersecurity program are based on recognized best practices and standards for cybersecurity and information technology and is aligned to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements. Cybersecurity is an important and integrated part of our enterprise risk management program that identifies, monitors and mitigates business, operational and legal risks. Our cybersecurity risk management process is integrated into our overall risk management process, and shares common methodologies, reporting channels and governance processes that apply across the risk management process to other legal, compliance, strategic, operational and financial risk areas. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our cybersecurity program maintains assessment protocols for proactively evaluating potential cybersecurity impacts and risks, supported by incident response procedures. We employ systematic processes to manage cybersecurity risks, including through cybersecurity audits, interconnectivity with business networks, system access controls and monitoring, and data back-up and recovery. Our cloud environments undergo continuous assessment, with firewall and backup systems designed to support operational resilience. We employ a Zero Trust Security framework that requires identity verification for network access, complemented by regular system assessments and monitoring. Our security controls include identity management programs, data loss prevention protocols, and threat detection capabilities. Our controls undergo regular review and updates based on threat intelligence, ensuring adaptability to merging threats. Similarly, our incident response program is regularly tested and updated to address emerging threat landscapes. To ensure organization-wide security awareness, cybersecurity training is mandatory and issued to all employees annually. Cybersecurity awareness is also included across other training programs, including our annual Code of Conduct and privacy training programs. Third-party risk management is a critical component of our security strategy. We maintain oversight of service providers through a proactive monitoring approach, leveraging a cybersecurity questionnaire and security and privacy Page 45 addenda to our contracts where applicable. We evaluate third party providers for maintenance of effective security management programs, compliance with information handling and asset management protocols, and require prompt notification of known or suspected cyber incidents. To validate our security posture, we engage independent external parties to conduct regular penetration testing and security audits, and to provide cybersecurity consulting services. We maintain ISO 27001 certification for our global enterprise. Additionally, our IT General Controls (ITGC) undergo annual testing through Sarbanes-Oxley audits, which examine security controls relating to system changes, access management, system configurations, and data backup processes. Our Board of Directors has ultimate oversight of cybersecurity and information security risk, which it manages as part of our enterprise risk management program. Specifically, the Board is assisted by the Audit Committee and the ESG and Risk Committee, which oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks, and reports to the Board. Throughout the year, our senior executives, including our Chief Information Security Officer (“CISO”), provide regular briefings to the full Board, the Audit Committee and the ESG and Risk Committee. These presentations cover technology trends, regulatory developments, disclosure requirements, legal issues, policies and practices, threat environment assessments, and ongoing security measures to prevent, detect, and respond to critical threats. The Board, the Audit Committee and the ESG and Risk Committee regularly discuss cybersecurity and information security risks with our senior executives. As part of our cybersecurity governance, we also utilize a Cybersecurity Steering Committee comprised of executive management, operational leaders, and cross-functional teams. Generally, this committee meets quarterly, or more frequently as appropriate, to review, assess and direct decisions related to cybersecurity and information systems matters. Our cybersecurity program is led by our CISO, who reports to our Chief Information Officer (CIO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom have decades of experience and hold certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager, and through the use of technological tools and software and engagement with external consultants. Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk and holds the following certifications: Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), am FINRA Licensed (with a Series 99), and an Oracle Cloud Certified Professional (OCP). Our CISO and CIO regularly report directly to the Board, the Audit Committee and the ESG and Risk Committee on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate incidents. In addition, in the event of an incident, we intend to follow our incident response procedures that include notification processes to inform senior management and the Board of Directors and provide ongoing updates regarding any such incident until it has been remediated as appropriate. Our operations are subject to cybersecurity risks, including unauthorized access, system failures, and breaches that could originate from both internal networks and through third-party suppliers and service providers. While we have not experienced a material impact on our business strategy, results of operations and/or financial condition resulting from cybersecurity threats or previous cybersecurity incidents, such events have the potential to have a material adverse effect on our business strategy, results of operations and financial condition, including by damaging or interrupting access to our information systems or networks, compromising confidential or otherwise protected information, destroying or corrupting data, or otherwise disrupting our operations. We continuously monitor our networks for unauthorized access attempts and maintain defensive measures; however, the dynamic nature of cyber threats means we cannot guarantee prevention of all potential future incidents that could materially impact our business operations, financial condition, or strategic objectives. Even if we successfully defend our own digital technologies and services, we also rely on providers of third-party products, services, and networks, with whom we may share data and services, and who may be unable to effectively defend their digital technologies and services against attack.

Company Information