JONES FINANCIAL COMPANIES LLLP 10-K Cybersecurity GRC - 2025-03-14

Page last updated on March 14, 2025

JONES FINANCIAL COMPANIES LLLP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-14 13:26:19 EDT.

Filings

10-K filed on 2025-03-14

JONES FINANCIAL COMPANIES LLLP filed a 10-K at 2025-03-14 13:26:19 EDT
Accession Number: 0000950170-25-039256

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Partnership has an enterprise risk management framework that includes assessing, identifying and managing material risks from cybersecurity threats, overseen by the Enterprise Leadership Team, which consists of the Managing Partner and up to 15 additional general partners appointed by the Managing Partner (“ELT”), Enterprise Risk Management Committee (“ERMC”) and Audit Committee. See Part III, Item 10 - Risk Management for a description of the Partnership’s overall risk management and governance. The Partnership has a Chief Information Security Officer (“CISO”) responsible for information security policy and for the prevention, mitigation, detection, and remediation of cybersecurity incidents. The Firm’s current CISO joined Edward Jones in 2021, and became a general partner and the CISO in 2024. She has over 18 years of experience in computer crimes and cybersecurity including in the defense and financial services industries. The CISO serves on the board of directors of the National Technology Security Coalition and is a member of the Financial Services CISO Forum. The CISO reports directly to the Partnership’s Head of Digital . The CISO also meets with the ELT and Audit Committee to report on cybersecurity threat management, policies, and incidents and has regularly scheduled and as-needed meetings with the Managing Partner. The CISO is also an active member of ERMC. The Partnership has a Chief Risk Officer (“CRO”) responsible for overseeing and managing the Partnership’s risk management processes who has more than 20 years of experience in the information security field in various lines of defense, an extensive background with information security frameworks, cyber defense, intrusion detection and incident response and has worked with various banking regulatory agencies throughout his career. He is a Certified Information Systems Security Professional (CISSP(R)) and a member of the Internal Information System Security Certification Consortium. The CRO joined Edward Jones in 2020 as CISO, became a general partner in that role in 2021 and CRO in 2024. The Partnership seeks to protect the confidentiality, integrity, and availability of its information systems and data through layered defenses designed to facilitate management of cybersecurity risks across five key domains: identification, protection, detection, response and recovery. The Partnership developed its cybersecurity program in consultation with the National Institute of Standards and Technology Cyber Security Framework. The Partnership’s cybersecurity risk management processes include regular network, endpoint and electronic communication monitoring, access controls, vulnerability scanning and assessments, annual information security training for associates, tabletop exercises to inform our associates’ risk identification and assessment. In addition, the Partnership monitors for cybersecurity threats by conducting regular reviews of the cybersecurity threat landscape, maintaining dedicated internal teams to monitor for and respond to insider threats and potential cybersecurity incidents. In addition to the Partnership’s internal resources, the Partnership engages third-party security consultants to facilitate the Partnership’s tabletop exercises, perform assessments and penetration tests of key information security controls across the Firm’s information systems and provide after-hours support as well as on demand surge support and incident response. The Partnership seeks to mitigate third-party cybersecurity risk though due diligence on prospective service providers that process or store information and negotiates contractual provisions requiring policies and procedures that meet a standard of care for data security and related controls. The Partnership also has processes in place designed to monitor information security incidents and other disruptions of third-party systems that the Partnership relies on. The Partnership has a dedicated Cyber Risk Management (“CRM”) function and corresponding team that is responsible for tracking identified cybersecurity risks, advising on the Partnership’s information security and cybersecurity policies, processes and procedures and monitor remediation activities. The CRM team also conducts initial and periodic due diligence on third-party vendors to evaluate the strength of their security control processes and procedures and associated governance capabilities. In performing its functions, the CRM team coordinates regularly with other risk management teams at the Partnership, as well as the CISO. 29 PART I Item 1C. Cybersecurity, continued The Partnership established a Privacy and Information Security Incident Response Plan (“IRP”) addressing the identification, communication, and classification of, and the response to, potential cybersecurity incidents and other disruptions of information systems. All investigation and reporting pursuant to the IRP is conducted at the direction of the Partnership’s Chief Privacy Officer. Associates are required to report and address any suspicious or inappropriate activity and can leverage a tool to report suspected cybersecurity threats via email. Pursuant to the IRP, once a cybersecurity event is identified, it is ascribed a severity level and/or associated tasks and cases in order to appropriately track and handoff any response and remediation efforts across our teams. The IRP provides for the communication of roles, responsibilities, and on-call escalation paths to communicate incidents to key stakeholders. Information security events are managed by designated teams whose roles and responsibilities are defined to facilitate quick, effective, and orderly responses. The Chief Privacy Officer, in collaboration with the CISO, is required to review the IRP on at least an annual basis, which may include the incorporation of any lessons learned from prior incidents. The Partnership has an enterprise-wide business resiliency program, policy and framework to assist in planning for, and mitigating disruption to the Partnership’s business operations from, incidents including cybersecurity events, through risk assessment, business impact analysis, response plan development, training, testing, and ongoing maintenance. The Business Resilience Department is responsible for creating and maintaining the Partnership’s business resilience policy and framework and overseeing the program’s implementation in collaboration with sponsors and leaders from the Firm’s business areas. A Business Resilience Oversight Group comprised of general partners meets at least semi-annually and provides oversight of business resilience strategy, risk management, resources, performance, and integration into business processes. Specific elements of business continuity plans vary based on the nature of the processes involved but include planning related to human capital, real estate, third-party relationships and technology infrastructure. As part of its business resiliency planning, the Partnership has data centers in two geographically distinct locations and reviews the data center locations of its third-parties. A prolonged interruption at any site or of critical systems or software may result in an extended delay of service to the Partnership’s clients and substantial costs and expenses. The Partnership, in the normal course of business, at times experiences cybersecurity threats and incidents affecting its data or systems or systems of third parties relied on by the Partnership, and the Partnership’s programs and measures discussed above may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. The Partnership has not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to have a material effect on its business strategy, reputation, financial condition or results of operations. For information on material risks of potential cybersecurity threats, refer to Part I, Item 1A - Risk Factors - Risks Related to Business Operations - Information Security Incidents and Fraud.
Item 1C. Cybersecurity, continued The Partnership established a Privacy and Information Security Incident Response Plan (“IRP”) addressing the identification, communication, and classification of, and the response to, potential cybersecurity incidents and other disruptions of information systems. All investigation and reporting pursuant to the IRP is conducted at the direction of the Partnership’s Chief Privacy Officer. Associates are required to report and address any suspicious or inappropriate activity and can leverage a tool to report suspected cybersecurity threats via email. Pursuant to the IRP, once a cybersecurity event is identified, it is ascribed a severity level and/or associated tasks and cases in order to appropriately track and handoff any response and remediation efforts across our teams. The IRP provides for the communication of roles, responsibilities, and on-call escalation paths to communicate incidents to key stakeholders. Information security events are managed by designated teams whose roles and responsibilities are defined to facilitate quick, effective, and orderly responses. The Chief Privacy Officer, in collaboration with the CISO, is required to review the IRP on at least an annual basis, which may include the incorporation of any lessons learned from prior incidents. The Partnership has an enterprise-wide business resiliency program, policy and framework to assist in planning for, and mitigating disruption to the Partnership’s business operations from, incidents including cybersecurity events, through risk assessment, business impact analysis, response plan development, training, testing, and ongoing maintenance. The Business Resilience Department is responsible for creating and maintaining the Partnership’s business resilience policy and framework and overseeing the program’s implementation in collaboration with sponsors and leaders from the Firm’s business areas. A Business Resilience Oversight Group comprised of general partners meets at least semi-annually and provides oversight of business resilience strategy, risk management, resources, performance, and integration into business processes. Specific elements of business continuity plans vary based on the nature of the processes involved but include planning related to human capital, real estate, third-party relationships and technology infrastructure. As part of its business resiliency planning, the Partnership has data centers in two geographically distinct locations and reviews the data center locations of its third-parties. A prolonged interruption at any site or of critical systems or software may result in an extended delay of service to the Partnership’s clients and substantial costs and expenses. The Partnership, in the normal course of business, at times experiences cybersecurity threats and incidents affecting its data or systems or systems of third parties relied on by the Partnership, and the Partnership’s programs and measures discussed above may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. The Partnership has not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to have a material effect on its business strategy, reputation, financial condition or results of operations. For information on material risks of potential cybersecurity threats, refer to Part I, Item 1A - Risk Factors - Risks Related to Business Operations - Information Security Incidents and Fraud.

Company Information