FTI CONSULTING, INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

FTI CONSULTING, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:30:26 EST.

Filings

10-K filed on 2026-02-26

FTI CONSULTING, INC filed a 10-K at 2026-02-26 07:30:26 EST
Accession Number: 0000887936-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We operate our segments and their practices through FTI Consulting and its subsidiaries in 32 countries with different business, client, and geographic cybersecurity risk profiles. We aim to proactively identify and assess our vulnerability to cybersecurity threats and actual cybersecurity incidents on an ongoing basis at both the enterprise level, as well as at a more operational level, differentiating unique risks related to our segments, practices, clients, employees, and the locations in which business is conducted. Our Information Technology Group ("ITG") helps monitor and analyze cybersecurity incidents and risks and our progress mitigating and resolving such threats. This information is regularly discussed with our outside directors and executive management. Approach and Integration Cybersecurity risk is integrated and managed as part of our broader enterprise risk management program under the direction of our Vice President - Chief Risk and Compliance Officer - who works closely with our Chief Information Officer and others, including the Head of our Cybersecurity & Privacy division to help identify, review, assess and address cybersecurity and other security risks. Our Chief Risk and Compliance Officer, Chief Information Officer and the Head of our Cybersecurity & Privacy division are members of the Company's cybersecurity response team (the "Cyber Response Team"). The Cyber Response Team's responsibilities include maintaining a Cybersecurity Incident Response Plan, which sets out a path for how cyber threats and incidents are identified and escalated up to and including the Board of Directors and other leadership, when appropriate. Direct threats are escalated promptly to the appropriate team, following a path that considers both the nature of the threat, the level of risk, and the degree to which it has been substantiated. Indirect threats, such as third-party incidents, are escalated through the ITG to the appropriate corporate functions, as the situation warrants. Third-Party Engagement and Oversight Where appropriate, we engage third-party vendors to provide cybersecurity-related services, including security monitoring, risk assessments, penetration testing, audit support and incident response services. Vendors are selected through due diligence processes appropriate to the nature of the services provided, and we enter into written agreements that include provisions addressing data security, confidentiality, privacy and incident notification. 28 We conduct vendor oversight activities based on the nature of the services and associated risks, which may include performance discussions, issue management and remediation follow-up, as appropriate. Our Vendor Code of Conduct ("VCC") establishes expectations related to ethical conduct and data protection. As part of applicable vendor onboarding processes, vendors are required to acknowledge and agree to comply with the VCC or to provide an alternative code of conduct that demonstrates comparable standards. For vendor engagements involving access to information systems, confidential information or physical security considerations, appropriate cross-functional stakeholders participate in risk and compliance reviews during the procurement and contract review process prior to engagement. Our contracts for such vendors include provisions designed to safeguard company and client information and to define responsibilities in the event of a security incident. Incident Response Plan and Training In the event of the detection of a potentially significant cybersecurity incident or threat, an escalation of cybersecurity threat, or changes with respect to a current incident, the Company has processes in place to notify relevant employees who assist in the response, as well as third-party vendors. Our ITG and management, in consultation with the Company's outside legal counsel and accountants, will assess materiality, informed by ongoing discussions about what criteria would constitute potential materiality considerations. The Audit Committee and necessary directors will be informed of all material events. To educate our management, employees, and consultants, and help mitigate the risk of human failure in exposing our Information Technology systems to cybersecurity threats from bad actors, our management, employees, and consultants are required to complete on-line cybersecurity training annually. We also provide regular reminders to employees regarding suspicious emails or other communications and conduct periodic phishing simulations and remedial spot testing and training to reinforce recognition and response techniques. In 2025, we continued to review and refine our incident response procedures. We conducted technical tabletop exercises, simulating cybersecurity events and appropriate responses, with the senior leadership team of FTI Consulting, including an executive officer and an outside director, and provided regular quarterly updates to the Board of Directors on ongoing efforts to strengthen our security posture. We continue to communicate with the broader executive incident response team on updates to our incident response posture and any simulation training conducted on a periodic basis. The expanded incident response briefing schedule is also included in the annual Board of Directors briefing, and directors and certain officers of the Company have been and will continue to be given the opportunity to participate in simulation training. In addition, our outside directors are encouraged to attend continuing education relating to cybersecurity. Materiality of Risks We are subject to and routinely face cyber-based attacks and attempts by hackers and similar unauthorized users seeking to gain access to or corrupt our information technology systems. Since the beginning of the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations, or financial condition, or that we believe are reasonably likely to have such an effect over the long term. However, there can be no assurance that we will be able to successfully mitigate the negative impacts of cybersecurity threats in the future. Accordingly, we continue to prioritize our cybersecurity risk management despite the lack of identified material impacts to date. Governance Management and Board of Directors' Role The Audit Committee meets regularly with management to help manage and assess risk exposures and potential damages related to information security, cybersecurity, and data protection and the steps management has taken to help identify, monitor, and control such exposures, as well as associated mitigation and remediation action, and actions to continue our operations. Information distributed to and discussed with the Audit Committee includes data on cybersecurity incidents and risks, company-wide enterprise risks, training programs, risk assessments, internal controls, security software, incident response plans, and forward-looking information security and business continuity strategies. The Audit Committee reports directly to the Board of Directors on a quarterly basis. Expertise of Management Our Chief Information Officer , who has led our ITG since 1999, holds degrees in Cybersecurity Management and Policy and Information Management and is certified in various information security applications. The Head of our Cybersecurity and Privacy division has been with FTI since 2007 and has extensive experience in the cybersecurity field. The members of Cybersecurity & Privacy division have experience and education in cybersecurity, risk management, data assurance, and 29 compliance. Among them they hold various certifications in information systems security and privacy. The practices and activities of our cybersecurity and information technology teams align with internationally accepted management frameworks. Furthermore, we offer cybersecurity consulting as a service to clients. Our client-facing cybersecurity and information security experts periodically advise our cybersecurity and information technology teams regarding best practices. In addition, from time-to-time, they address our executives, directors, and other segment or regional leaders regarding complex issues faced by other companies that arise from data-security-related challenges. Among other things, they discuss new and evolving types and levels of threats and attacks, hacking and ransomware, foreign actors, risks driven by new and evolving technologies, including artificial intelligence, potential damages, and liability, and technological and other solutions potentially available to mitigate such risks, as well as other company responses. The existence of this team within FTI aids in our ability to have current incident and threat intelligence that we can use to bolster our own security posture and defenses. Our cybersecurity practice also provides us with supplemental incident response investigation services in partnership with independent, external consultants, as needed and as appropriate. For additional information on the risks we face related to cyber and information security threats, please see the related risk factor in Item 1A. Risk Factors.

Company Information