ADOBE INC. 10-K Cybersecurity GRC - 2026-01-15

Page last updated on January 15, 2026

ADOBE INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-01-15 17:01:55 EST.

Filings

10-K filed on 2026-01-15

ADOBE INC. filed a 10-K at 2026-01-15 17:01:55 EST
Accession Number: 0000796343-26-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Adobe has certain security processes, infrastructure, systems, policies and practices for assessing, identifying and managing risks from cybersecurity threats. We maintain an information security risk management framework for managing cybersecurity risks, priorities and projects for our products, services, infrastructure and corporate resources. As part of our framework, a cybersecurity risk steering committee meets regularly to review newly identified risks and progress on remediating existing risks. We conduct regular security reviews, simulations and testing, including internal and external penetration testing, vulnerability assessments and regular scans on our hosts and network devices. We review available threat intelligence, including information from industry groups and our security vendor. We consult with third parties, including cybersecurity consultants, as part of our cybersecurity threat and risk management strategy. Depending on the environment, our risk mitigation strategies include a variety of technical, physical and operational measures designed to manage and mitigate material risks from cybersecurity threats to our systems and data. We require employees annually to complete a general security awareness training, and additional engineering and security specific training may also be required for certain positions. Further, we maintain a vendor security review program, which is designed to provide an assessment of the security practices of those third-party vendors that process Adobe non-public data or connect to our networks. We maintain an information security incident response plan designed to monitor, analyze, address, escalate and report cybersecurity incidents, and escalate certain cybersecurity incidents to members of management depending on the circumstances. For a description of the risks from cybersecurity threats that may materially affect us, see the risks described in the section titled "Risk Factors" contained in Part I, Item IA of this report, including under the headings "Security incidents, improper access to or disclosure of our customers' data or other cybersecurity incidents may harm our reputation and materially and adversely affect our business." Governance Our Board of Directors (the "Board") addresses cybersecurity risks as part of its general oversight function. Our Audit Committee of the Board (the "Audit Committee") oversees enterprise risks, including cybersecurity risks, and the adequacy and effectiveness of our information security, technology and policies and our internal controls regarding these areas. The Audit Committee receives regular cybersecurity updates from our Chief Security Officer ("CSO"), in conjunction with senior cyber legal and other professionals, and reports those updates to the Board. The updates address topics such as cybersecurity risks and the prevention, detection, mitigation and remediation of cybersecurity incidents. We have a Cyber Disclosure Committee, comprised of our CSO, cyber legal professionals and other cross-functional leaders, that meets regularly to assess and make determinations regarding certain cybersecurity incidents, and have an escalation process to inform management and the Audit Committee when appropriate. Additionally, our CSO identifies certain cybersecurity risks that are reviewed as part of the enterprise risk management framework and periodically presented to the Board and the Audit Committee. Our cybersecurity risk assessment and management processes are implemented and maintained by management, including our CSO and our cyber legal professionals , whom each has extensive cybersecurity experience in their respective areas of responsibility and expertise. Our CSO, who reports to the Chief Financial Officer, has primary responsibility for the strategy, engineering and operations of cybersecurity across Adobe in partnership with our executive-level product leaders and our cyber legal professionals, who report to the Chief Legal Officer, and have primary responsibility for the legal aspects of cybersecurity across Adobe. Our CSO is supported by a team of cybersecurity, information security, information technology, operations and legal executives and professionals.

Company Information