JANUS HENDERSON GROUP PLC 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

JANUS HENDERSON GROUP PLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:30:59 EST.

Filings

10-K filed on 2024-02-27

JANUS HENDERSON GROUP PLC filed an 10-K at 2024-02-27 16:30:59 EST
Accession Number: 0001437749-24-005720

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a cybersecurity risk management program to identify, assess and manage material risks from cybersecurity threats and to protect the confidentiality, integrity and availability of our critical systems and information. Our cybersecurity program takes a risk-based approach and was developed to align with ISO 27001, the international standard for information security, and we also assess ourselves against the NIST Cybersecurity framework. In addition, our cybersecurity risk management program aligns with ISO 31000, the international standard for risk management. The foregoing does not imply that we meet any technical standards, specifications or requirements, or that we have been certified on these requirements in any respect, only that we have used these industry standards as guides when designing our cybersecurity and risk management programs. 21 Table of Contents Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across our enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. For example, cybersecurity threats are subject to our firm-wide Risk Events Policy, which sets forth procedures for the identification, escalation, recording, investigation and approval of handling of such risk events. Our cybersecurity risk management program includes a cybersecurity incident response plan. Major incidents emanating from cybersecurity threats are notified to our Operational Risk team through our enterprise risk management system and escalated in accordance with our incident response plan. In addition, cybersecurity has been designated as a principal risk by the Risk Committee of our Board of Directors (the Risk Committee ), which requires regular monitoring and reporting. We identify material risks from cybersecurity threats through various sources, including, but not limited to, controls testing, compliance testing of our security standards, penetration testing, threat intelligence, and lessons learned and assessments against control frameworks. These threats are assessed by applying our Risk and Control Self-Assessment ( RCSA ), IT risk, and cybersecurity risk management processes, each of which we review regularly. Based on the RCSA, risks from cybersecurity threats that exceed established risk tolerance thresholds are recorded and incorporated into our reporting to the Risk Committee and senior management as described in more detail below. We also engage third-party assessors, consultants and auditors to assist in the administration, assessment and improvement of our cybersecurity risk management program. To help bring risks from cybersecurity threats within an acceptable range, we address risks through compensating controls or remediation, commensurate with the assessed risk level from such threats. Cybersecurity incidents that are determined to be major are escalated on a timely basis in accordance with our cybersecurity incident response plan. With respect to third-party service providers with access to our information systems, assets or data, our security policies and procedures are designed so that diligence is conducted as appropriate on the cybersecurity controls maintained by such third parties and to ensure that the Company has cybersecurity measures in place with respect to their access to our information systems, assets or data. We have not identified any risks from cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the business strategy, results of operations or financial condition of the Company. Please refer to the risk factor captioned We could be subject to losses and reputational harm if we, or our agents, fail to properly safeguard sensitive and confidential information against cyberattacks or other security breaches or if our business processes are not sufficiently resilient. in Part I, Item 1A. Risk Factors, for additional description of cybersecurity risks and potential related impacts on the Company. Governance Our Board of Directors has established a Risk Committee to assist the Board in its oversight of risk. As part of its responsibilities, the Risk Committee oversees management s implementation of our cybersecurity risk management program. The Risk Committee receives regular reports from our Information Security leadership on our cybersecurity risks, including key status updates, security issues, current and future priorities, independent assurance, threat landscape and audit findings. The Risk Committee regularly reports to the full Board regarding its activities, including those related to cybersecurity oversight. The full Board also receives periodic presentations on cybersecurity topics from our Information Security leadership or other internal security staff or external experts as part of the Board s continuing education program. Our Information Security team, including our Information Security leadership, has primary responsibility for assessing and managing material risks to the Company from cybersecurity threats, including our overall cybersecurity risk management program and supervision of our internal cybersecurity personnel and our external cybersecurity consultants. Our Information Security team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, including receiving regular briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Our Information Security leadership regularly briefs our Global Chief Operating Officer on cybersecurity issues, the scope of which is similar to the information presented by the Information Security leadership to the Risk Committee as described above. Major risks from cybersecurity threats determined following application of an RCSA are escalated by our Information Security leadership to the Risk Committee, Global Chief Operating Officer, Chief Technology Officer and other senior management.

Company Information