ADOBE INC. 10-K Cybersecurity GRC - 2025-01-13

Page last updated on January 13, 2025

ADOBE INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-13 16:02:17 EST.

Filings

10-K filed on 2025-01-13

ADOBE INC. filed a 10-K at 2025-01-13 16:02:17 EST
Accession Number: 0000796343-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Adobe has certain security processes, infrastructure, systems, policies and practices for assessing, identifying and managing risks from cybersecurity threats. We maintain an information security risk management framework for managing cybersecurity risks, priorities and projects for our products, services, infrastructure and corporate resources. As part of our framework, a cybersecurity risk steering committee meets regularly to review newly identified risks and progress on remediating existing risks. We conduct regular security reviews, simulations and testing, including internal and external penetration testing, vulnerability assessments and regular scans on our hosts and network devices. We review available threat intelligence, including information from industry groups and our security vendor. We consult with third parties, including cybersecurity consultants, as part of our cybersecurity threat and risk management strategy. Depending on the environment, our risk mitigation strategies include a variety of technical, physical and operational measures designed to manage and mitigate material risks from cybersecurity threats to our systems and data. We require employees annually to complete a general security awareness training, and additional engineering and security specific training may also be required for certain positions. Further, we maintain a vendor security review program, which is designed to provide an assessment of the security practices of those third-party vendors that process Adobe non-public data or connect to our networks. We maintain an information security incident response plan designed to monitor, analyze, address, escalate and report cybersecurity incidents, and escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Security Officer (“CSO”), Chief Cybersecurity Legal and Privacy Officer (“CCPO”), Chief Financial Officer, Chief People Officer, President of Digital Media, President of Digital Experience, General Counsel and Chief Executive Officer. For a description of the risks from cybersecurity threats that may materially affect us, see the risks described in the section titled “Risk Factors” contained in Part I , Item IA of this report, including under the headings “Security incidents, improper access to or disclosure of our customers’ data or other cybersecurity incidents may harm our reputation and materially and adversely affect our business.” Governance Our Board of Directors (the “Board”) addresses cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board (the “Audit Committee”) has oversight of enterprise risks, including risks related to cybersecurity. In this regard, the Audit Committee reviews and discusses with management the adequacy and effectiveness of our information security, technology and privacy policies and the internal controls regarding these areas. Our Audit Committee receives regular cybersecurity updates about general cybersecurity risks from our CSO and updates about the prevention, detection, mitigation and remediation of cybersecurity incidents from our CSO and CCPO. Cybersecurity updates presented to the Audit Committee are reported to the Board by the Audit Committee Chair . We also have a Cyber Disclosure Committee, comprised of cross-functional leaders including finance, risk, operations and investor relations and led by the CSO and CCPO, that meets to assess certain incidents and makes determinations regarding materiality. Additionally, our CSO and CCPO identify certain cybersecurity risks that are reviewed as part of the enterprise risk management framework and presented to the Board and the Audit Committee on an annual basis. Our cybersecurity risk assessment and management processes are implemented and maintained by certain management members, including our CSO and CCPO , whom each has extensive cybersecurity experience in their respective areas of responsibility and expertise. Our CSO, who reports to the Chief Financial Officer, has primary responsibility for hiring appropriate information security personnel and managing workloads of information security personnel, engaging and overseeing third-party cybersecurity consultants, approving budgets and cybersecurity processes, preparing for incident response, reviewing security assessments and other security-related reports, communicating key priorities to relevant personnel, including the security incident response team, assessing and managing Adobe’s overall cybersecurity strategy, standards, risk management (in consultation with the cybersecurity risk steering committee) and processes. Our CCPO, who reports to the General Counsel, has primary responsibility for the legal aspects of the cybersecurity program, including assessing and providing advice on our cybersecurity strategy, standards, risk management, policies, processes and legal obligations. Our CSO and CCPO are supported by a cybersecurity team comprised of cybersecurity, information security, information technology, operations and legal executives and professionals.

Company Information