Phoenix Education Partners, Inc. 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

Phoenix Education Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 16:15:05 EST.

Filings

10-K filed on 2025-11-20

Phoenix Education Partners, Inc. filed a 10-K at 2025-11-20 16:15:05 EST
Accession Number: 0001193125-25-289786

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company maintains a risk-based cybersecurity program designed to protect the confidentiality, integrity, and availability of our networks and systems that we own or are in our care. Our program is aligned to U.S. National Institute for Standards and Technology ("NIST") standards and other applicable industry frameworks. We document our compliance efforts with regulations and standards that govern our business, including the Sarbanes-Oxley Act, the Family Educational Rights and Privacy Act ("FERPA"), the Gramm-Leach-Bliley Act Safeguards Rule, and the Payment Card Industry Data Security Standard ("PCI-DSS"). Our program is designed to identify, assess, and manage material risks from cybersecurity threats through practices that include: - required information security and privacy training supported by periodic phishing simulation exercises to reinforce awareness and enhance cybersecurity practices; - monitoring of network and system activity to detect unusual or suspicious behavior; 66 - access management and access controls which aim to implement "least privilege" access; - multifactor authentication and encryption of sensitive data through "at rest" and "in transit" where feasible; - deployment of industry-standard security monitoring and protection software; - a defined vulnerability management program; - periodic cybersecurity assessments, including with the support of independent third-party consultants; - business continuity and disaster recovery planning; and - a documented Incident Response Plan ("IRP") that provides controls and procedures to support timely and accurate reporting of cybersecurity incidents in coordination with our Legal and the Ethics, Compliance, and Data Privacy ("ECDP") department. The Company's cybersecurity program is integrated within the Company's enterprise risk management program, which provides oversight and governance of cybersecurity risk through risk assessment, risk monitoring, and follow-through on stated objectives and investments to actively manage and remediate related risks. The Company also engages third party experts to assist with compliance and maturity assessments and penetration testing, as appropriate. The Company maintains arrangements with third party information infrastructure or IT vendors, including "cloud computing" vendors. All potential vendors are evaluated through the Company's third-party due diligence process, which includes conducting cybersecurity risk assessments prior to integration into the Company's networks and additional assessments prior to contract renewals or extensions. We further manage potential threats to our systems originating with or associated with IT vendors by integrating cybersecurity requirements and other provisions into various contracts as applicable. Vulnerabilities in third-party software are monitored and managed through our vulnerability management program. To date, the Company's business strategy, operating results, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of any prior incidents. Our program is designed to identify, prevent, and mitigate cybersecurity events that would have a material adverse effect on the Company; however, the nature and sophistication of cybersecurity risks continue to evolve. No security framework, system, or control environment can fully eliminate the risk of a cyberattack or unauthorized access. Despite the Company's safeguards to protect its systems, intellectual property, and confidential and personal information, vulnerabilities may persist that could be exploited by threat actors. See Item 1A, "Risk Factors-Risks Related to our Business." We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents, which we believe is commensurate with the size and the nature of our operations. However, the Company may incur expenses and losses related to a cyber incident that are not covered by insurance or are in excess of our insurance coverage. Governance The Company's Chief Information Security Officer ("CISO") is responsible for cybersecurity at the executive level and oversees a team of cybersecurity professionals responsible for assessing and managing our material risk from cybersecurity threats. The CISO works closely with and reports to the Chief Information Officer. Our CISO has over two decades of cybersecurity experience, including responsibilities in technical risk management, information security, cyber investigations, incident response, and cyber strategy. In addition to the CISO's professional background, the CISO maintains relevant industry credentials. The CISO also leads a cross-functional Incident Response Team ("IRT") responsible for responding to and managing cybersecurity incidents in coordination with our Legal department and ECDP department. The IRT consists of professionals from various departments, including Information Technology and Security, Legal, ECDP, Finance, Public Relations, and other key business areas as needed. The IRP is tested annually via a tabletop exercise, focused on executive strategy and communication processes during an incident. 67 The Audit Committee of the Company's Board of Directors is tasked with oversight of the Company's cybersecurity, information and technology security and data privacy strategies and policies. The Chief Information Officer and/or CISO provide regular updates to the Audit Committee on cybersecurity events, vulnerability management, ransomware readiness, and global cybersecurity trends across industries.

Company Information