JONES FINANCIAL COMPANIES LLLP 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

JONES FINANCIAL COMPANIES LLLP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 12:46:04 EDT.

Filings

10-K filed on 2024-03-12

JONES FINANCIAL COMPANIES LLLP filed an 10-K at 2024-03-12 12:46:04 EDT
Accession Number: 0000950170-24-029758

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Partnership has an enterprise risk management framework that includes assessing, identifying and managing material risks from cybersecurity threats, overseen by the Managing Partner, the Enterprise Leadership Team (“ELT”), Enterprise Risk Management Committee (“ERMC”) and Audit Committee. See Part III, Item 10 Risk Management for a description of the Partnership’s overall risk management and governance. The Partnership has a Chief Information Security Officer (“CISO”) responsible for information security policy and for the prevention, mitigation, detection, and remediation of cybersecurity incidents. The Firm’s current CISO joined Edward Jones as a general partner in his current role in 2021 after more than 20 years in the financial services industry. The CISO is a Certified Information Systems Security Professional and serves on the board of directors of the National Technology Security Coalition and member of the International Information System Security Certification Consortium. The CISO reports directly to a member of the ELT, the Partnership’s Head of Digital, Data and Operations. See Part III, Item 10 Directors, Executive Officers and Corporate Governance for additional information on the Head of Digital, Data and Operations. The CISO also meets with the ELT and Audit Committee to report on cybersecurity threat management, policies, and incidents and has regularly scheduled and as-needed meetings with the Managing Partner. The CISO is also a member of ERMC and regularly participates in its meetings. The Partnership seeks to protect the confidentiality, integrity, and availability of its information systems and data through layered defenses designed to facilitate management of cybersecurity risks across five key domains: identification, protection, detection, response and recovery. The Partnership developed its cybersecurity program in consultation with the National Institute of Standards and Technology Cyber Security Framework. The Partnership s cybersecurity risk management processes include regular network, endpoint and electronic communication monitoring, access controls, vulnerability scanning and assessments, annual information security training for associates, tabletop exercises to inform our associates risk identification and assessment. In addition, the Partnership monitors for cybersecurity threats by conducting regular reviews of the cybersecurity threat landscape, maintaining dedicated internal teams to monitor for and respond to insider threats and potential cybersecurity incidents. In addition to the Partnership s internal resources, the Partnership engages third-party security consultants to facilitate the Partnership s tabletop exercises, perform assessments and penetration tests of key information security controls across the Firm’s information systems and provide after-hours support as well as on demand surge support and incident response. The Partnership seeks to mitigate third-party cybersecurity risk though due diligence on prospective service providers that process or store information and negotiates contractual provisions requiring policies and procedures that meet a standard of care for data security and related controls. The Partnership also has processes in place designed to monitor information security incidents and other disruptions of third-party systems that the Partnership relies on. The Partnership has a dedicated Cyber Risk Management (“CRM”) function and corresponding team that is responsible for tracking identified cybersecurity risks, advising on the Partnership’s information security and cybersecurity policies, processes and procedures and monitor remediation activities. The CRM team also conducts initial and periodic due diligence on third-party vendors to evaluate the strength of their security control processes and procedures and associated governance capabilities. In performing its functions, the CRM team coordinates regularly with other risk management teams at the Partnership, as well as the CISO. The Partnership established a Privacy and Information Security Incident Response Plan ( IRP ) addressing the identification, communication, and classification of, and the response to, potential cybersecurity incidents and other disruptions of information systems. All investigation and reporting pursuant to the IRP is conducted at the direction of the Partnership s Chief Privacy Officer. Associates are required to report and address any suspicious or inappropriate activity and can leverage a tool to report suspected cybersecurity threats via email. Pursuant to the IRP, once a cybersecurity event is identified, it is ascribed a severity level and/or associated tasks and cases in order to appropriately track and handoff any response and remediation efforts across our teams. The IRP provides for the communication of roles, responsibilities, and on-call escalation paths to communicate incidents to key stakeholders. Information security events are managed by designated teams whose roles and responsibilities are defined to facilitate quick, effective, and orderly responses. The Chief 27 PART II Item 1C. Cybersecurity, continued Privacy Officer, in collaboration with the CISO, is required to review the IRP on at least an annual basis, which may include the incorporation of any lessons learned from prior incidents. The Partnership has an enterprise-wide business resiliency program, policy and framework to assist in planning for, and mitigating disruption to the Partnership’s business operations from, incidents including cybersecurity events, through risk assessment, business impact analysis, response plan development, training, testing, and ongoing maintenance. The Business Resilience Department is responsible for creating and maintaining the Partnership’s business resilience policy and framework and overseeing the program’s implementation in collaboration with sponsors and leaders from the Firm’s business areas. A Business Resilience Oversight Group comprised of general partners meets at least semi-annually and provides oversight of business resilience strategy, risk management, resources, performance, and integration into business processes. Elements of business continuity plans vary based on the nature of the processes involved and the impacts of the incident but can include planning related to human capital, real estate, third-party relationships and technology infrastructure. As part of its business resiliency planning, the Partnership has data centers in two geographically distinct locations and its third-party vendors have data centers in several regions of the United States. A prolonged interruption at any site or of critical systems or software may result in an extended delay of service to the Partnership’s clients and substantial costs and expenses. The Partnership, in the normal course of business, at times experiences cybersecurity threats and incidents affecting its data or systems or systems of third parties relied on by the Partnership, and the Partnership’s programs and measures discussed above may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. The Partnership has not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to have a material effect on its business strategy, reputation, financial condition or results of operations. For information on material risks of potential cybersecurity threats, refer to Part I, Item 1A Risk Factors Risks Related to Business Operations Information Security Incidents and Fraud.
Item 1C. Cybersecurity, continued Privacy Officer, in collaboration with the CISO, is required to review the IRP on at least an annual basis, which may include the incorporation of any lessons learned from prior incidents. The Partnership has an enterprise-wide business resiliency program, policy and framework to assist in planning for, and mitigating disruption to the Partnership’s business operations from, incidents including cybersecurity events, through risk assessment, business impact analysis, response plan development, training, testing, and ongoing maintenance. The Business Resilience Department is responsible for creating and maintaining the Partnership’s business resilience policy and framework and overseeing the program’s implementation in collaboration with sponsors and leaders from the Firm’s business areas. A Business Resilience Oversight Group comprised of general partners meets at least semi-annually and provides oversight of business resilience strategy, risk management, resources, performance, and integration into business processes. Elements of business continuity plans vary based on the nature of the processes involved and the impacts of the incident but can include planning related to human capital, real estate, third-party relationships and technology infrastructure. As part of its business resiliency planning, the Partnership has data centers in two geographically distinct locations and its third-party vendors have data centers in several regions of the United States. A prolonged interruption at any site or of critical systems or software may result in an extended delay of service to the Partnership’s clients and substantial costs and expenses. The Partnership, in the normal course of business, at times experiences cybersecurity threats and incidents affecting its data or systems or systems of third parties relied on by the Partnership, and the Partnership’s programs and measures discussed above may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us in the future. The Partnership has not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to have a material effect on its business strategy, reputation, financial condition or results of operations. For information on material risks of potential cybersecurity threats, refer to Part I, Item 1A Risk Factors Risks Related to Business Operations Information Security Incidents and Fraud.

Company Information