FACTSET RESEARCH SYSTEMS INC 10-K Cybersecurity GRC - 2025-10-22

Page last updated on October 22, 2025

FACTSET RESEARCH SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-10-22 06:04:51 EDT.

Filings

10-K filed on 2025-10-22

FACTSET RESEARCH SYSTEMS INC filed a 10-K at 2025-10-22 06:04:51 EDT
Accession Number: 0001628280-25-045769

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We maintain an information security program with a dedicated internal team that is tasked with leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. Our information security team is responsible for identifying, assessing, managing, and responding to cybersecurity risks, threats and incidents relating to the protection of our information assets, systems and operations. The information security team also oversees the detection, prevention, mitigation and remediation of all cybersecurity incidents. Our information security team proactively monitors emerging cyber threat activity to proactively tune and upgrade our cyber capabilities to maintain a robust security posture. Our information security program is managed by a dedicated Chief Information Security Officer ("CISO") who reports to our Chief Technology Officer, a member of our Executive Leadership Team ("ELT"). Our CISO has a graduate degree in computer engineering and has worked in cybersecurity for over two decades, including at a major financial institution. The information security team is comprised of approximately 60 employees, with dedicated teams assigned to governance, risk and compliance, identity and access management, strategy and architecture, and analytics and automation. The team operates from FactSet locations around the world, including offices in the U.S., India, the Philippines and Europe. FactSet's information security and governance framework is guided by International Organization for Standardization ("ISO") 27001 and System and Organization Control ("SOC") 2 Trust Service Criteria and the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. Cybersecurity risk management is integrated into our broader Enterprise Risk Management ("ERM") framework. FactSet's ERM program is designed to identify, prioritize and assess the most significant risks that could impact our ability to achieve our strategic business objectives. Our information security leadership team, in concert with our ERM team, reviews our cybersecurity risks each quarter through our enterprise risk assessment process. FactSet's information security program is grounded in a risk-based approach. Our information security team undertakes various activities to assess, identify and manage risks from cybersecurity threats, including managing security controls, conducting penetration testing, leading training and tabletop exercises (including an annual tabletop exercise with the ELT), and conducting internal and external vulnerability assessments. All FactSet's employees receive mandatory annual cybersecurity training; software engineers receive training on secure software development best practices; and other ad hoc training is provided to employees on the latest cyber threat landscape. In addition, we also perform quarterly "phishing simulations" to test the effectiveness of our security training program. FactSet's information security team performs annual penetration testing with leading service providers, to mimic motivated threat actors, to assess the internal and external security posture of the Company. Findings from the penetration test and our internal and external vulnerability assessments are classified using a combination of scores and internal business metrics. We have processes to identify and mitigate cybersecurity risks stemming from our relationships with third parties, including protocols to assess vendors' cybersecurity programs before we engage them and to monitor vendors, once engaged, for ongoing compliance with our cybersecurity standards. We also have an incident response plan that provides procedures for how we can detect, respond to, and recover from potential cybersecurity incidents, which include processes designed to triage, assess severity, escalate, contain, investigate, and remediate any incident, as well as to comply with any applicable legal obligations and mitigate potential brand and reputational damage. Our information security program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management, including the ELT and the FactSet Audit Committee, and, where appropriate, the Board of Directors (the "Board"). We also actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. The cybersecurity threat landscape is dynamic and volatile and requires significant investment. To date, risks from cybersecurity threats have not materially affected, and we do not believe are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. As discussed more fully under Item 1A, Risk Factors in this Annual Report on Form 10-K, although our processes are designed to help identify, detect, prevent, respond to, and mitigate cybersecurity risks, cybersecurity threats are rapidly evolving and we may not be able to anticipate, prevent, or detect all such attacks and there is no guarantee that a future cybersecurity incident could not materially affect our business strategy, results of operations, or financial condition. Cybersecurity Governance Cybersecurity is an important part of our Audit Committee, Board and ELT's risk management focus. The Board coordinates with the Audit Committee for active Board- and Committee-level oversight of the Company's technology and cyber risk profile, cyber strategies and information security initiatives. The Audit Committee monitors management's responsibility in the area of risk oversight, including cybersecurity risks. At each regular meeting, the Audit Committee receives updates from the CISO, regarding trends, emergent risks to our technology infrastructure, major updates on security assessments and threat landscape, and the steps we are taking to respond to these matters. The CISO also provides an annual update to the Board , or as may otherwise be required. Management has day-to-day responsibility for identifying risks facing FactSet, formulating risk management policies and procedures, managing our key risk exposures on a day-to-day basis and setting the right "tone at the top." As part of this, the ERM and technology teams, including the CISO, also deliver regular updates to the ELT on cybersecurity and related matters.

Company Information