JOHN WILEY & SONS, INC. 10-K Cybersecurity GRC - 2025-06-25

Page last updated on June 25, 2025

JOHN WILEY & SONS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-25 10:49:04 EDT.

Filings

10-K filed on 2025-06-25

JOHN WILEY & SONS, INC. filed a 10-K at 2025-06-25 10:49:04 EDT
Accession Number: 0000107140-25-000081

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Wiley is committed to maintaining robust cybersecurity practices to safeguard our operations, data, and stakeholders’ interests. We monitor our cybersecurity landscape and adapt our strategies and governance practices to mitigate risks in this rapidly evolving area. Wiley adopted the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF) as a guide for its cybersecurity program to establish and maintain a continuous improvement process for identifying, assessing, and managing cyber risks and cyber-related threats. Informed by the NIST-CSF, we maintain a cybersecurity risk management program that is designed to identify, assess, manage, and mitigate cybersecurity risks and provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers. To secure our technology environment, our organization leverages the latest software and security capabilities with a defense-in-depth and layered strategy. We deploy endpoint detection and response, network anomaly detection, and multi-factor authentication across most of our environment. We engage with various third-party consultants as well as utilize various threat intelligence services to assist in our oversight and to identify risks. We require employees with access to our information systems, including all corporate employees and consultants, to undertake annual data protection and cybersecurity training and ongoing phishing simulation exercises. In addition, Wiley’s controls are also monitored and tested on a continuous basis by an external third-party to assess the effectiveness of our cyber program. Based on the information we have as of the date of this Annual Report on Form 10-K, we do not believe that any cybersecurity incident experienced by the Company has materially affected or is reasonably likely to materially affect Wiley, including our business strategy, results of operations, or financial condition. For additional information about cybersecurity risks, see Item 1A. “Risk Factors. " Governance Our Board is responsible for the overall oversight of our enterprise risk management. The Board receives regular updates on the key risks to the organization on a quarterly basis. The Board has delegated oversight of cybersecurity risks to the Audit Committee . The Audit Committee receives quarterly and yearly cybersecurity updates from the Company’s Chief Information & Security Officer ( CISO ), which includes updates on the Company’s cybersecurity policies and strategies, cyber risks and threats, the status of projects designed to continuously improve the Company’s information security systems, assessments of the Company’s security program, employee training and awareness programs, emerging threat landscape, and engagement with external cybersecurity experts and advisors, as needed. Management’s Role Management is responsible for day-to-day risk management activities, including identifying and assessing cybersecurity risks, establishing processes to ensure that potential cybersecurity risk exposures are monitored, implementing appropriate mitigation or remediation measures, and maintaining cybersecurity programs. Risk mitigation strategies and key performance indicators are defined, and tracked, as part of the quarterly internal reporting. The information security team consists of subject matter experts in the fields of security operations, governance risk and compliance (GRC), application security, fraud, identity and access management, and security architecture. Our security operation center (SOC) monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical and operational measures and regularly reports to our CISO. Our CISO is part of the senior management team and regularly updates the Audit Committee on the company’s cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies. The information security team is led by the CISO who has 29 years of experience in business risk management and cybersecurity. The information security team has established processes and procedures that guide and enable continuous monitoring, detection, prevention, mitigation, and remediation of cybersecurity incidents. These processes are carried out using various security platforms tools, capabilities, and strategies including tests of our information security program, tabletop exercises, penetration and vulnerability testing, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. Incident response teams within the SOC utilize procedures that identify escalation paths when security events are identified. Incident priorities dictate escalation of events and how they are reported from an incident commander up to the executive leadership team within Wiley as well as to the Board. 25 I ndex Despite our efforts, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. The threat landscape is constantly changing and will continue to as new technologies, such as AI, evolve.

Company Information