JACOBS SOLUTIONS INC. 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

JACOBS SOLUTIONS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 07:03:08 EST.

Filings

10-K filed on 2025-11-20

JACOBS SOLUTIONS INC. filed a 10-K at 2025-11-20 07:03:08 EST
Accession Number: 0001628280-25-053316

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY We maintain a cybersecurity program, designed to proactively identify, assess, manage, mitigate, and respond to cybersecurity threats. Our Cybersecurity Organization develops, implements, and maintains this program, which is governed by our global cybersecurity policy. The underlying controls of the cybersecurity program are based on recognized best practices and standards for cybersecurity and information technology and is aligned with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF") and the International Organization for Standardization ("ISO") 27001 Information Security Management System Requirements. Cybersecurity is an important and integrated part of our enterprise risk management program that identifies, monitors and mitigates business, operational and legal risks. Our cybersecurity risk management process is integrated into our overall risk management process, and shares common methodologies, reporting channels and governance processes that apply across the risk management process to other legal, compliance, strategic, operational and financial risk areas. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our cybersecurity program maintains assessment protocols for proactively evaluating potential cybersecurity impacts and risks, supported by incident response procedures. We employ systematic processes to manage cybersecurity risks, including through cybersecurity audits, network interconnectivity reviews, system access controls and monitoring, and data backup and recovery. Our cloud environments undergo continuous assessment, with firewall and backup systems designed to support operational resilience. We employ a Zero Trust Security framework that requires identity verification for network access, complemented by regular system assessments and monitoring. Our security controls include identity management programs, data loss prevention protocols, and threat detection capabilities. Our controls undergo regular review and updates based on threat intelligence, ensuring adaptability to emerging threats. Similarly, our incident response program is regularly tested and updated to address emerging threat landscapes. To ensure organization-wide security awareness, cybersecurity training is mandatory and provided to all employees annually. Cybersecurity awareness is also included across other training programs, including our annual "Living our Values" training modules and our privacy training programs. Page 46 Third-party risk management is a critical component of our cybersecurity strategy. We maintain oversight of service providers through proactive monitoring, leveraging a cybersecurity questionnaire and security and privacy addenda to our contracts where applicable. We evaluate third party providers to ensure they maintain effective security management programs, compliance with information handling and asset management protocols, and provide prompt notification of any known or suspected cybersecurity incidents. To validate our security posture, we engage independent external firms to conduct regular penetration testing, security audits, and cybersecurity consulting. We maintain ISO/IEC 27001 certification for our global enterprise. We also maintain a Cybersecurity Maturity Model Certification (CMMC) L2 certification for our U.S. Federal operations, and Cyber Essentials (CE) Plus certification for our U.K. operations. Additionally, our IT General Controls (ITGCs) undergo annual testing through Sarbanes-Oxley (SOX) audits, which examine security controls relating to system changes, access management, system configurations, and data backup processes. Our Board of Directors has ultimate oversight of cybersecurity and information security risk, which it manages as part of our enterprise risk management program. The Board is assisted by the Audit Committee,,as it pertains to cybersecurity threats to the integrity of the Company's financial systems and compliance with cybersecurity related disclosures, and the Sustainability and Risk Committee, as it pertains to cybersecurity as a part of the Company's enterprise risk, which oversee our cybersecurity risk exposures, review management's mitigation efforts, and report their findings to the Board . Throughout the year, our senior executives, including our Chief Information Security Officer ("CISO") , provide regular briefings to the full Board, the Audit Committee and the Sustainability and Risk Committee. These updates cover technology trends, regulatory developments, disclosure requirements, legal issues, policies and practices, threat environment assessments, and ongoing security measures to prevent, detect, and respond to critical threats. The Board and its committees regularly engage in discussions with senior executives regarding cybersecurity and information security risks. As part of our cybersecurity governance, we also maintain a Cybersecurity Steering Committee chaired by our CISO and comprised of executive management, operational leaders, and cross-functional teams. Generally, this committee meets quarterly, or more frequently as needed, to review, assess and direct decisions related to cybersecurity and information systems matters. Our cybersecurity program is led by our CISO, who reports to our Chief Information Officer ("CIO"). Our CISO oversees prevention, detection, mitigation, and remediation efforts through regular communication and reporting from information security professionals, many of whom have decades of experience and hold certifications such as a Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM). These efforts are supported by advanced technological tools, specialized software and engagement with external consultants. Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk and holds the following credentials: Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), FINRA Licensed (with a Series 99), and an Oracle Cloud Certified Professional (OCP). Our CISO and CIO regularly provide reports to the Board , the Audit Committee and the Sustainability and Risk Committee on our cybersecurity posture, key initiatives and ongoing efforts to prevent, detect, mitigate, and remediate cyber incidents. In the event of a cybersecurity incident, we follow established incident response procedures, which includes protocols for timely notification to senior management as well as the Board of Directors, with ongoing updates provided until the issue is remediated, as appropriate. Our operations are subject to cybersecurity risks, including unauthorized access, system failures, and breaches that could originate from both internal networks and through third-party suppliers and service providers. While we have not experienced a material impact on our business strategy, results of operations and/or financial condition from cybersecurity threats or prior incidents, such events have the potential to have a material adverse effect on such aspects of our business. Realization of these risks could damage or disrupt access to our information systems or networks, compromise confidential or protected information, destroy or corrupt data or otherwise interfere with our operations. We continuously monitor our networks for unauthorized access attempts and maintain a range of defensive measures. However, the evolving and sophisticated nature of cyber threats means we cannot guarantee prevention of all potential incidents that could materially impact our business operations, financial condition, or strategic objectives. In addition, even if we effectively defend our own systems, we rely on third-party providers of products, services and networks, with whom we share data and services, and who may themselves be unable to prevent or mitigate cyberattacks.

Company Information