JONES LANG LASALLE INC 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

JONES LANG LASALLE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 13:55:40 EST.

Filings

10-K filed on 2025-02-19

JONES LANG LASALLE INC filed a 10-K at 2025-02-19 13:55:40 EST
Accession Number: 0001037976-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our cybersecurity program, led by our Global Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), is designed to protect and preserve the confidentiality, integrity and availability of all information and systems owned by us or in our care. The Audit and Risk Committee of our Board of Directors oversees cybersecurity, as outlined in its charter and disclosed in our proxy statement. In addition, cybersecurity is reviewed as part of our enterprise risk management program led by our Director of Enterprise Risk Management, which assesses our significant enterprise risks, provides a summary of those risks and primary mitigations, identifies control improvement projects for our significant risks, and regularly reports on the progress of control improvement projects for those risks to our GEB and the Audit and Risk Committee of our Board of Directors. Our cybersecurity strategy implements layered controls aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework to minimize both the likelihood and potential impact of cybersecurity events. Our CISO, who holds advanced qualifications and has extensive experience in cybersecurity, leads a global team of cybersecurity professionals. Our CISO reports to our CIO who is responsible for the Company’s technology, data and information management strategy, and brings over two decades of relevant experience to the role. We engage third-party consultants for assessing, identifying and managing material cybersecurity risks, including those associated with certain third-party providers. We maintain a cyber incident response plan and regularly conduct simulations and tabletop exercises. In 2023, we established an executive management group responsible for determining the materiality of cybersecurity incidents and necessary disclosures. This group consists of our CISO, Chief Financial Officer, Chief Legal Officer and Chief Accounting Officer. Like other companies with a large technology footprint and high-profile client base, we are regularly subject to cyberattacks. While certain attacks have been successful, thus far none have had a material impact on our or our clients’ operations. In addition, we acknowledge that cybersecurity threats could significantly impact our business strategy, operations, or financial condition. As such, we continue to enhance our infrastructure, monitor for threats, and evaluate our response capabilities as we deploy additional mobile and cloud technologies. Also refer to our discussion of material cybersecurity risks in the “Operational Risk Factors” section of Item 1A, Risk Factors , of this report. Our Management and the Board of Directors provide significant oversight of cybersecurity risks. In May 2022, the Board expanded the Audit Committee’s charter to include cybersecurity and information technology readiness. In addition, the Audit Committee was renamed to the “Audit and Risk Committee” to more accurately align with its responsibility to assist the Board in overseeing our policies, program and related risks identified as part of the enterprise risk management framework and cybersecurity and information technology. Further enhancing our cybersecurity governance, in 2024, the Cybersecurity Subcommittee of the Audit and Risk Committee was formally established. This subcommittee generally meets on a quarterly basis and regularly reports to the Audit and Risk Committee, providing an additional layer of specialized oversight on cybersecurity matters. The Audit and Risk Committee, its Cybersecurity Subcommittee, and management’s Cyber Governance Committee receive regular reports on our information security program, including top risks, strategy, controls, incident response plans, metrics, and training protocols. Reports are also shared with the full Board of Directors. We maintain a cyber risk insurance policy, but costs related to cybersecurity threats or disruptions may not be fully insured. We acknowledge that successful cyberattacks could result in substantial costs, liability, reputational harm, and significant remediation expenses.

Company Information