JONES LANG LASALLE INC 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

JONES LANG LASALLE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 14:05:04 EST.

Filings

10-K filed on 2026-02-19

JONES LANG LASALLE INC filed a 10-K at 2026-02-19 14:05:04 EST
Accession Number: 0001037976-26-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Like other companies with a large technology footprint and high-profile client base, we are regularly subject to cyberattacks. While certain attacks against us have been successful, thus far none have had a material impact on our or our clients' operations. To respond to the threat of cybersecurity breaches and cybersecurity attacks, we have developed and maintain a comprehensive global cybersecurity program. The program utilizes internal and external assessments to continually improve our overall cybersecurity posture and manage technology risk. Our cybersecurity strategy has implemented layered technical and administrative controls, which are aligned with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF") to minimize both the frequency and severity of cybersecurity events. Specific to our external assessments, we routinely engage third-party consultants to assess our overall cybersecurity maturity and improve our ability to identify and manage material risks stemming from a cybersecurity event. Additionally, as a material cybersecurity incident can manifest from outside of the organization, JLL leverages security assessments and continuous monitoring to evaluate the security risk of third-party service providers. In 2023, we established an executive management group responsible for determining the materiality of cybersecurity incidents and ensuring proper disclosure if required. While we have not experienced any material cybersecurity events to date, we acknowledge cybersecurity threats could significantly impact our business strategy, operations, or financial condition. In our commitment to reducing the frequency and severity of a cybersecurity event, we maintain a cybersecurity incident response plan and regularly conduct tabletop exercises to bolster our preparedness. JLL's cybersecurity function has a risk management framework for cyber-related risks, detailing controls and improvements. The cybersecurity function provides regular updates to our Chief Risk Officer on cybersecurity threats, incidents, and JLL's prevention, detection, mitigation, and remediation efforts for managing these risks. Our Enterprise Risk Management ("ERM") program is designed to evaluate and monitor significant risks, including cybersecurity, and places them in JLL's overall risk framework. Our Global Executive Board and Audit and Risk Committee receive regular reporting on cyber risks and mitigation from both ERM and the cybersecurity function. We maintain a cyber risk insurance policy, but costs related to cybersecurity threats or disruptions may not be fully insured. We acknowledge that successful cyberattacks could result in substantial costs, liability, reputational harm and significant remediation expenses. For additional information on material cybersecurity risks, refer to our discussion in the "Operational Risk Factors" section of Item 1A, Risk Factors, of this report. Governance Our Management and the Board of Directors provide significant oversight of cybersecurity risks. Since 2022, the Board expanded the Audit and Risk Committee's charter to include cybersecurity and information technology readiness. In addition, the Audit Committee was renamed to the "Audit and Risk Committee" to more accurately align with its responsibility to assist the Board in overseeing our policies, program and related risks identified as part of the enterprise risk management framework and cybersecurity and information technology. Further enhancing our cybersecurity governance, in 2024, the Board formally established the Cybersecurity Subcommittee of the Audit and Risk Committee. This subcommittee meets on a quarterly basis with management and regularly reports to the Audit and Risk Committee, providing an additional layer of specialized oversight on cybersecurity and information technology matters. Management's role in executing our cybersecurity strategy is led by our Global Chief Information Officer ("CIO") and our Chief Information Security Officer ("CISO") both with over twenty years' experience in large institutions. Our CISO leads our cybersecurity program, holds a master's degree in business administration and has over twenty years of relevant experience, including cybersecurity and enterprise security leadership roles in Financial Services and within the Department of Defense. Our CISO reports to our CIO who is responsible for the development and implementation of our technology, data and information management strategy. Our CIO's educational background includes a bachelor's degree in mechanical engineering and a master's degree in industrial engineering - operations research, providing a strong foundation for work in technology, data management, data science and analytics. Management's Cybersecurity Governance Committee, established in 2022, comprises senior executives representing several business segments and corporate functions. It provides an additional level of oversight for cybersecurity policies and serves as a formal channel to communicate cybersecurity decisions with our Global Executive Board. The Audit and Risk Committee, its Cybersecurity Subcommittee, and management's Cybersecurity Governance Committee receive regular reports on our information security program, including top risks, strategy, controls, improvement projects, metrics, and training protocols. Reports are also shared with the full Board of Directors.

Company Information