JANUS HENDERSON GROUP PLC 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

JANUS HENDERSON GROUP PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:31:09 EST.

Filings

10-K filed on 2025-02-27

JANUS HENDERSON GROUP PLC filed a 10-K at 2025-02-27 16:31:09 EST
Accession Number: 0001437749-25-005488

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy To effectively manage the cyber risk posed to our organization and to remain within our risk appetite, we maintain a cybersecurity strategy and risk management program to identify, assess and manage material risks from cybersecurity threats with the aim of protecting the confidentiality, integrity and availability of our critical systems and information. Our cybersecurity program takes a cyberthreat and risk-based approach and was developed to align with ISO 27001, an international standard for information security, and we also assess ourselves against the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. In addition, our cybersecurity risk management program aligns with ISO 31000, the international standard for risk management. The foregoing does not imply that we meet all technical standards, specifications or requirements, or that we have been certified on these requirements in any respect, only that we have used these industry standards as guides when designing our cybersecurity and risk management programs. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across our enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. For example, cybersecurity threats are subject to our firm-wide Risk Events Policy , which sets forth procedures for the identification, escalation, recording, investigation and approval of handling of such risk events. Our cybersecurity risk management program includes a cybersecurity incident response plan. Major incidents emanating from cybersecurity threats are communicated to our Operational Risk team through our enterprise risk management system and escalated in accordance with our incident response plan. In addition, cybersecurity has been designated as a principal risk by the Risk Committee of our Board of Directors (the “Risk Committee”), which requires regular monitoring and reporting. We identify material risks from cybersecurity threats through various sources, including, but not limited to, controls testing, compliance testing of our security standards, independent penetration testing, open-source threat intelligence feeds, and lessons learned and assessments against control frameworks. These threats are assessed by applying our Risk and Control Self-Assessment (“RCSA”), information technology risk and cybersecurity risk management processes, each of which we review regularly. Based on the RCSA, risks from cybersecurity threats that exceed established risk tolerance thresholds are recorded and incorporated into our reporting to the Risk Committee and senior management as described in more detail below. We also engage third -party assessors, consultants and auditors to assist in the administration, assessment and improvement of our cybersecurity risk management program. To help bring risks from cybersecurity threats within an acceptable risk appetite and tolerance level, we created a cybersecurity strategy and associated program of necessary activities. The program mitigates the risks through the effective design and implementation of compensating controls or remediation actions, commensurate with the assessed risk level from such threats. With respect to third -party service providers with access to our information systems, assets or data, our security policies, standards and procedures are designed so that periodic due diligence is conducted as appropriate on the cybersecurity controls maintained by such third parties. The aim is to ensure the third -party service provider has adequate and appropriate cybersecurity measures in place commensurate to the risk their access to our information systems, assets or data presents. We have not identified any risks from cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the business strategy, results of operations or financial condition of the Company. Please refer to the risk factor captioned “We could be subject to losses and reputational harm if we, or our agents, fail to properly safeguard sensitive and confidential information against cyberattacks or other security breaches or if our business processes are not sufficiently resilient.” in Part I, Item 1A. Risk Factors, for additional description of cybersecurity risks and potential related impacts on the Company. Governance Our Board of Directors has established a Risk Committee to assist the Board in its oversight of risk. As part of its responsibilities, the Risk Committee oversees management’s implementation of our cybersecurity and risk management program. The Risk Committee receives regular reports from our Information Security leadership on our cybersecurity risks, including key status updates, security issues, current and future priorities, independent assurance, threat landscape and audit findings. The Risk Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity oversight. Our Information Security team, including our Information Security leadership, has primary responsibility for identifying, assessing and managing material risks to the Company from cybersecurity threats, including our overall cybersecurity risk management program and supervision of our internal cybersecurity personnel and our external cybersecurity consultants. Our Chief Information Security Officer (“CISO”) has over 20 years of information security/cybersecurity experience, working in a variety of roles within PricewaterhouseCoopers LLP, as the Director of Cyber Operations for Nationwide Building Society, the CISO at The Crown Estate and the CISO at Insight Investment. Our Information Security team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, including receiving regular briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Our Information Security leadership regularly briefs our Global Chief Operating Officer and Chief Technology Officer on cybersecurity issues, the scope of which is similar to the information presented by the Information Security leadership to the Risk Committee as described above. Major risks from cybersecurity threats determined following application of an RCSA are escalated by our Information Security leadership to the Risk Committee, Global Chief Operating Officer, Chief Technology Officer and other senior management.

Company Information