Jefferies Financial Group Inc. 10-K Cybersecurity GRC - 2026-01-28

Page last updated on February 4, 2026

Jefferies Financial Group Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-01-28 16:55:18 EST.

Filings

10-K filed on 2026-01-28

Jefferies Financial Group Inc. filed a 10-K at 2026-01-28 16:55:18 EST
Accession Number: 0000096223-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our Chief Information Security Officer ("CISO"), supervised by our Chief Technology Officer, and his Global Information Security team ("GIS") oversee our cybersecurity program and exercise overall responsibility for the strategic vision and the design, development and implementation of, and adherence to, the program's protocols. The comprehensive program includes policies and procedures designed to protect our systems, operations and the data entrusted to us from anticipated threats or hazards. The program applies seven layers of controls: governance, identification, protection, detection, response, recovery and third-party vendor management. Our CISO reviews the cybersecurity framework annually as well as on an event- driven basis as necessary, and reviews the scope of cybersecurity measures periodically, including to accommodate changes in business practices that may implicate security-related issues. Protective measures include, where appropriate, physical and digital access controls, software security and patch management, identity verification, mobile device management, data loss prevention solutions, employee cybersecurity awareness communications and best practices training programs, security baselines and tools to detect and report anomalous activity, service provider risk assessments, network monitoring of data usage, hardware and software, and data erasure and media disposal, among others. Measures, policies and standards are aligned with industry-leading frameworks, such as those promulgated by the International Organization for Standardization and the National Institute of Standards and Technology ("NIST"). We test our cybersecurity defenses regularly through automated vulnerability scanning by GIS's 24/7 Security Operations Group t o identify and remediate critical vulnerabilities. In addition, an independent vendor conducts annual penetration tests to validate our external security posture. For certain businesses, we also conduct cyber incident tabletop exercises involving hypothetical cybersecurity incidents to test our cyber incident response processes. Tabletop exercises are conducted by our IT Risk team in collaboration with outside service providers as appropriate and members of senior management and Legal and Compliance teams. Learnings from these tabletop exercises and any events that we experience are reviewed, discussed, and incorporated into our cybersecurity risk management processes as appropriate. In addition to our internal exercises to test aspects of our cybersecurity program, we annually engage an independent third party to assess the risks associated with our information systems and information assets and the maturity of our cyber security program. The independent third party assesses the cybersecurity program against the Cyber Risk Institute Cyber Profile, a financial sector-focused framework based on the NIST Cybersecurity Framework, the results of which are reported to the Board of Directors and inform our program. We have a comprehensive cybersecurity incident response and communication plan (the "IRP"), managed by the Security Operations Group, which is designed to inform appropriate risk management and business managers of non-routine suspected or confirmed information security or cybersecurity events based on the expected risk an event presents. As appropriate, a team composed of individuals from several internal technical and managerial functions may be formed to investigate and remediate such an event and determine the extent of external advisor support required, including from external counsel, forensic investigators and law enforcement agencies. The IRP and our internal data loss reporting procedure are reviewed at least annually and more frequently as needed. We maintain a cybersecurity risk management process to identify and mitigate risks that impact the firm. Cybersecurity is assessed by IT Risk and approved by the Chief Information Officer ("CIO") as a component of our annual, enterprise-wide Risk Control Self Assessment ("RCSA") managed by the Operational Risk Group. 15 Jefferies Financial Group Inc. The RCSA process is independently verified by the Internal Audit Department. Additionally, our cybersecurity risk management process includes reviewing risks discerned from time to time from both internal events and from external events, alerts and reports received from a broad variety of sources. Reports from external sources are also reviewed to formulate risk mitigation and remediation strategies. The CISO periodically discusses and reviews cybersecurity risks and related mitigants with the CIO, the Head of IT Risk and General Counsel and incorporates relevant cybersecurity risk updates and metrics. We conduct periodic risk assessments and adjust and enhance our cybersecurity program in response to the evolving cybersecurity landscape and to align with regulatory and industry standards. We also employ a process designed to assess the cybersecurity risks associated with the engagement of third-party vendors and service providers. This assessment is conducted on the basis of, among other factors, the types of products or services provided and the extent and type of data accessed or processed by the third party. Cybersecurity Governance Our dedicated GIS team is led by the CISO, who reports to the CIO. The CISO works closely with the CIO, Chief Financial Officer, and the Chief Risk Officer's ("CRO") team and the Legal and Compliance Departments to develop and advance our cybersecurity strategy. The CISO has extensive experience in cybersecurity and technology and is responsible for all aspects of cybersecurity across our global businesses. We conduct periodic cybersecurity risk assessments, including assessments of third-party vendors. The CISO reviews the cybersecurity framework annually as well as on an event-driven basis as necessary, and reviews the scope of cybersecurity measures periodically, including to accommodate changes in business practices that may implicate security-related issues. Our cybersecurity program is periodically assessed by the Internal Audit Department. The results of these audits are reported to the Audit Committee of the Board. Any resulting findings and associated actions to address issues are tracked and managed to completion. In addition, the IT Risk team provides Key Risk Indicators ("KRIs") monthly to the Operational Risk Committee whose members include the CIO, CRO, Head of Internal Audit and the CISO and their representatives. The monthly presentation includes updates on key security incidents and trending of cybersecurity KRIs. Our Board is responsible for the general oversight of all matters that affect us, including the myriad risks impacting us. The Board fulfills its oversight role through the operations of its various committees and receives periodic reports on its committees' activities. The Board's Risk and Liquidity Oversight Committee oversees Jefferies' enterprise risk management. Oversight includes annually reviewing and approving the risk management framework and overarching risk appetite statements; reviewing our technology, cybersecurity and privacy risk, legal and regulatory risk, and reputational risk, among other major risk exposures; reviewing the steps management has taken to monitor and control such exposures; and reviewing our capital, liquidity and funding against established risk methodologies. The CISO keeps the Board informed about our security posture and cybersecurity maturity program on a regular basis, providing updates about the current threat landscape and related risks, cybersecurity events, significant incidents and new initiatives.

Company Information