Jefferies Financial Group Inc. 10-K Cybersecurity GRC - 2025-01-28

Page last updated on January 28, 2025

Jefferies Financial Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-28 17:10:56 EST.

Filings

10-K filed on 2025-01-28

Jefferies Financial Group Inc. filed a 10-K at 2025-01-28 17:10:56 EST
Accession Number: 0001628280-25-002833

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our Chief Information Security Officer (“CISO”) and the Global Information Security team (“GIS”) oversee our cybersecurity program and exercise overall responsibility for the strategic vision, design, development and implementation of, and adherence to, the program’s protocols. The comprehensive program includes policies and procedures designed to protect our systems, operations and the data entrusted to it from anticipated threats or hazards. The program applies seven layers of controls: governance, identification, protection, detection, response, recovery and third-party vendor management. The CISO reviews the cybersecurity framework annually as well as on an event-driven basis, as necessary, and reviews the scope of cybersecurity measures periodically, including to accommodate changes in business practices that may implicate security-related issues. Protective measures, where appropriate, include, but are not limited to, physical and digital access controls, software security and patch management, identity verification, mobile device management, data loss prevention solutions, employee cybersecurity awareness communications and best practices training programs, security baselines and tools to detect and report anomalous activity, service provider risk assessments, network monitoring, hardware and software, and data erasure and media disposal. Measures, policies and standards are aligned with industry-leading frameworks, such as those promulgated by the International Organization for Standardization and the National Institute of Standards and Technology (“NIST”). We test our cybersecurity defenses regularly through automated vulnerability scanning t o identify and remediate critical vulnerabilities. In addition, an independent vendor conducts annual penetration tests to validate our external security posture. For certain businesses, we also conduct cyber incident tabletop exercises involving hypothetical cybersecurity incidents to test our cyber incident response processes. Tabletop exercises are conducted by the Information Technology Risk team in collaboration with outside service providers, as appropriate, and members of senior management and Legal and Compliance. Learnings from these tabletop exercises and any events that we experience are reviewed, discussed, and incorporated into our cybersecurity risk management processes, as appropriate. In addition to our internal exercises to test aspects of our cybersecurity program, we annually engage an independent third party to assess information system risks and the maturity of our cyber security program. The independent third party assesses the cybersecurity program against the Cyber Risk Institute Cyber Profile, a financial sector-focused framework based on the NIST Cybersecurity Framework, the results of which are reported to the Board of Directors and inform our program. We have a comprehensive cybersecurity incident response and communication plan (the “IRP”), managed by the Security Operations Group, which is designed to inform appropriate risk management and business managers of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. A team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate such an event and determine the extent of external advisor support required, including from external counsel, forensic investigators and law enforcement agencies. The IRP is reviewed at least annually. Cybersecurity is assessed by Information Technology Risk and approved by the Chief Information Officer (“CIO”) as a component of our annual, enterprise-wide Risk Control Self Assessment (“RCSA”) managed by the Operational Risk Group. The RCSA process is independently verified by the Internal Audit Department. Additionally, our cybersecurity risk management process includes reviewing risks discerned from time to time from both internal events and from external events, alerts and reports received from a broad variety of sources. Reports from external sources are also reviewed to formulate risk mitigation and remediation strategies . The CISO periodically discusses and reviews cybersecurity risks and related mitigants with the CIO, the Head of Information Technology Risk and General Counsel and incorporates relevant cybersecurity risk updates and metrics. We conduct periodic risk assessments and adjust and enhance our cybersecurity program in response to the evolving cybersecurity landscape and to align with regulatory and industry standards. We also employ a process designed to periodically assess the cybersecurity risks associated with the engagement of third-party vendors and service providers . This assessment is conducted on the basis of, among other factors, the types of products or services provided and the extent and type of data accessed or processed by the third party. Cybersecurity Governance Our Board’s Risk and Liquidity Oversight Committee oversees Jefferies’ enterprise risk management. Oversight includes annually reviewing and approving the risk management framework and overarching risk appetite statements, which includes reviewing technology, cybersecurity and privacy risk and 15 Jefferies Financial Group Inc. reviewing the steps management has taken to monitor and control such exposures. The CISO keeps the Board informed about our security posture and cybersecurity maturity program on a regular basis, providing updates about the current threat landscape and related risks, cybersecurity events, significant incidents and new initiatives. Our cybersecurity program is periodically assessed by the Internal Audit Department. The results of these audits are reported to the Audit Committee. Any resulting findings and associated actions to address issues are tracked and managed to completion. In addition, the Information Technology Risk team provides key risk indicators (“KRIs”) monthly to the Operational Risk Committee whose members include the CIO, Chief Risk Officer (“CRO”), Head of Internal Audit and the CISO . The monthly presentation includes updates on key security incidents and the trending of cybersecurity KRIs. Our dedicated GIS team is led by the CISO, who reports to the CIO. The CISO has extensive experience in cybersecurity and technology with over twenty years’ experience managing cybersecurity in the financial and consulting services industries and is responsible for all aspects of cybersecurity across our global businesses. The CISO works closely with the CIO, Chief Financial Officer, CRO and the Legal and Compliance Departments to develop and advance our cybersecurity strategy.

Company Information