JACK HENRY & ASSOCIATES INC 10-K Cybersecurity GRC - 2025-08-25

Page last updated on August 25, 2025

JACK HENRY & ASSOCIATES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-25 12:00:11 EDT.

Filings

10-K filed on 2025-08-25

JACK HENRY & ASSOCIATES INC filed a 10-K at 2025-08-25 12:00:11 EDT
Accession Number: 0000779152-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy In today’s interconnected environment, information is inherently exposed to a wide range of risks, threats, and vulnerabilities. As a provider of products and services to financial institutions, Jack Henry integrates industry-standard frameworks, policies, and procedures to securely process and store sensitive information, prioritizing the protection of our associates, clients, and their private data in an ever-evolving cyber threat landscape. Jack Henry’s information and cybersecurity program is a core component of our overall enterprise risk management framework. It is maintained by a team of highly skilled cybersecurity professionals and supported by investments in modern technology, including artificial intelligence and machine learning. The program is designed to safeguard Jack Henry and client confidentiality and privacy by systematically identifying, assessing, and managing material risks and cybersecurity threats through comprehensive cyber defense, threat and vulnerability management, and cyber intelligence. It includes continuous enterprise monitoring and well-defined and regularly tested business 20 resilience and incident response procedures. We also engage third-party vendors and consultants to assist in identifying, assessing, and mitigating cybersecurity risks. Jack Henry systems and services are subject to regular reviews by the same regulatory agencies that oversee financial institutions, including the Federal Reserve Bank (“FRB”), FDIC, Office of the Comptroller of the Currency (“OCC”), NCUA, and the CFPB, among others. These reviews, including those conducted by the Federal Banking Agencies (comprised of the FDIC, FRB, and the OCC) help identify potential security gaps or control deficiencies. In addition, critical services provided to our clients undergo annual System and Organization Controls (“SOC”) reviews by independent auditors. Our associates and contractors play a vital role in the safeguarding of systems and data. All are required to complete annual security awareness training to ensure they stay current on best practices and emerging cyber threats. We also conduct routine phishing exercises to help associates and contractors recognize and appropriately respond to suspicious emails. Supplemental training is provided throughout the year to individuals and teams with elevated-risk profiles. Jack Henry relies on third-party service providers to deliver certain services and products to our clients. We evaluate and seek to mitigate the cybersecurity risks associated with these providers through pre-engagement and periodic risk assessments to ensure our standards for security are maintained. Our strategic risk management committees review and address any identified risks. In fiscal year 2025, we did not identify any cybersecurity threats, including those arising from prior incidents, that materially affected our business strategy, results of operations, or financial condition. As a large financial technology provider, we continually face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Despite our efforts to identify and respond to cybersecurity threats, we cannot guarantee that we will not experience a material cybersecurity incident in the future or that an undetected incident has not already occurred. For further discussion of cybersecurity risks, see the section entitled “Risk Factors” in Item 1A. CyberSecurity Governance and Oversight Our Board of Directors has ultimate oversight of risk management and has delegated responsibility for enterprise and operational risks, including cybersecurity, to the Board’s Risk and Compliance Committee. This Committee oversees Jack Henry’s risk assessment and management programs and reviews risk preparedness. The Audit Committee oversees financial risks and would be informed of any material cybersecurity incident that could potentially have a material impact on our financial statements. The Chief Information Security Officer (“CISO”) reports quarterly to the Risk and Compliance Committee and to the full Board of Directors on information security matters. The CISO also meets with the Risk and Compliance Committee at least annually to evaluate our overall security environment and organization. While the Board of Directors, through the Risk and Compliance Committee, maintains oversight of cybersecurity risks, management is primarily responsible for identifying, assessing, and managing these risks within our broader risk management program. The Enterprise Risk Management Committee , composed of senior executives, monitors governance, risk, and compliance enterprise-wide, including cybersecurity. Management has adopted specific policies and procedures to monitor and mitigate cybersecurity threats including an incident response program, led by the CISO and staffed by professionals with diverse expertise. Incidents meeting pre-established thresholds are escalated to management for threat assessment, mitigation, remediation, and, if necessary, disclosure to clients, third-parties, and regulators. Our CISO, who reports to the Chief Operations Officer, has primary responsibility for Jack Henry’s information security strategy, policy, security engineering, operations, and cybersecurity threat detection and response. Our CISO brings more than 20 years experience in technology and cybersecurity, including senior leadership roles at major financial institutions. Under the CISO’s direction, the information security team continuously monitors cybersecurity trends and implements proactive and defensive measures to protect against cybersecurity threats.

Company Information