XML 21 R10.htm IDEA: XBRL DOCUMENT v3.25.3
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Sep. 30, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 16K. CYBERSECURITY

 

Risk Management and Strategy

Our cybersecurity risk management process is aligned with our enterprise risk management program and utilizes a cybersecurity risk management framework developed to protect the confidentiality, integrity, and availability of our critical systems and information and our customers’ data.

Our cybersecurity risk management framework methodology is designed using industry best practices issued by the International Organization for Standardization and the National Institute of Standards and Technology. This framework, covering all in-house and third-party information systems we use and all activities of the employees and third parties we rely on, helps us assess, identify, and manage cybersecurity risks, including how we implement cybersecurity controls and how we measure the effectiveness of such controls to mitigate and remediate identified risks.

Key elements of our cybersecurity risk management framework include:

a dedicated Governance, Risk and Compliance team within the cybersecurity unit, responsible for identifying potential business risks related to cybersecurity threats, managing cybersecurity risk assessment processes, assessing the effectiveness of cybersecurity controls, and following up on risk mitigation and remediation activities;
a cross-functional approach that includes reporting to and coordinating with other key stakeholders in our business, including our information technology, business continuity management, legal and compliance teams and others, to keep them informed and involved as appropriate;
an Information Security Risk Management Policy that applies to employees and other third parties we rely on and is reviewed and updated annually;
recurring internal and third-party risk assessments for certain of our business unit teams, processes, and systems designed to identify potentially material cybersecurity risks;
a third-party risk management program which addresses supply chain and third-party risks, including those arising throughout the lifecycle of a third-party vendor, from engaging in vendor due diligence prior to onboarding to ongoing vendor monitoring and cyber intelligence services, to vendor termination rights and other contractual protections with our third-party vendors;
use of third-party service providers, where appropriate, to assess, test, or otherwise assist with aspects of our cybersecurity controls;
a cybersecurity incident response plan that includes a 24/7 manned security operation center and procedures for responding to cybersecurity incidents and is reviewed and updated annually; and
cybersecurity awareness practices to mitigate risk from human errors, including employee training during employee onboarding and on a regular and ad-hoc basis thereafter.

Although we employ third-party due diligence, onboarding, and other procedures designed to assess the cybersecurity practices of third-party vendors and service providers (including risk assessments and contractual protections), our ability to monitor or control the cybersecurity practices of third parties is limited and there can be no assurance that we can prevent, detect, mitigate, or remediate the risk of any weakness, compromise, or failure in cybersecurity infrastructure owned or controlled by our third-party vendors and service providers. When we do become aware that a third-party vendor or service provider has experienced any weakness, compromise, or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our systems and information where appropriate. For more information on risks related to third parties we rely on, please see “Risk Factors — We rely on third-party vendor relationships to deliver our business, may expose us to supply disruptions, cost increases, security vulnerabilities and cyberattacks.”

We face ongoing and increasing cybersecurity risks, including from bad actors that are becoming more sophisticated and effective over time. For more information on risks related to cybersecurity, please see “Risk Factors — If our security measures for our software, hardware, services or cloud offerings are compromised and as a result, our data, our customers’ data, our IT systems, or our customers’ IT systems are accessed improperly, made unavailable, or improperly modified, our products and services may be perceived as vulnerable and it may materially affect our business and result in potential legal liability.”

 

Governance - Board Oversight

Our Board of Directors conducts periodic reviews of our cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies, based on reports and updates on status provided to our Audit Committee, Technology and Innovation Committee, and full Board of Directors by our Chief Information Security Officer (“CISO”) and other members of our cybersecurity teams and other relevant executives on a regular and ad-hoc basis. Our Board of Directors has overall oversight responsibility for our enterprise risk management, and delegates cybersecurity risk management oversight to the Audit Committee as part of the Company’s enterprise risk management program and to the Technology and Innovation Committee as part of such committee’s oversight of our technologies and systems. The committees ensure that our management has processes and programs in place designed to identify and assess cybersecurity risks to which we are exposed and implements processes and programs designed to manage cybersecurity risks and mitigate and remediate cybersecurity incidents. The committees also report material cybersecurity risks to our full Board of Directors.

 

Governance - Role of Management

Management is responsible for assessing, identifying, and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such cybersecurity risk exposures are monitored, putting in place appropriate prevention, detection, mitigation, and remediation controls and maintaining cybersecurity processes and programs.

Our CISO is a senior manager reporting to our Chief Financial Officer & Chief Operating Officer (“CFO & COO”). Our CISO leads our cybersecurity program and supervises teams operating across different geographies supporting our cybersecurity functions designed to prevent, detect, mitigate, and remediate cybersecurity incidents. Our cybersecurity teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical, administrative, and operational measures, and regularly report to our CISO. On an annual basis, and per request, our CISO provides reports and updates on the status of our cybersecurity program to our Board of Directors’ committees, including reports and updates on material cybersecurity risks, based on our management’s assessment of such risks, and all members of our Board of Directors are invited to join these sessions.

Our senior management has delegated the responsibility for ongoing governance of cybersecurity activities to a steering committee led by our CFO & COO and our Group President of Technology. Based on reports provided by our CISO to our senior management on a quarterly and ad-hoc basis, the steering committee is gathered at least quarterly to review and track cybersecurity activities, risks, incidents, and projects.

Our CISO has more than three decades of experience in various cybersecurity, product management, and other technology-related roles, and has extensive experience in assessing, identifying, and managing cybersecurity-related risks and implementing cybersecurity-related policies and strategies. Our CISO has also served in several leadership roles and has held his current position since 2018.

Our CFO & COO has more than three decades of experience in finance and risk management related roles and has also served in several leadership roles. Our CFO & COO has held her position as Chief Financial Officer since 2007 and her additional role as Chief Operating Officer since 2018.

Our Group President of Technology has more than two decades of experience in various technology, engineering and research and development roles. He has served in several leadership roles in the Company and has held the Group President position since 2018.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management process is aligned with our enterprise risk management program and utilizes a cybersecurity risk management framework developed to protect the confidentiality, integrity, and availability of our critical systems and information and our customers’ data.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance - Board Oversight

Our Board of Directors conducts periodic reviews of our cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies, based on reports and updates on status provided to our Audit Committee, Technology and Innovation Committee, and full Board of Directors by our Chief Information Security Officer (“CISO”) and other members of our cybersecurity teams and other relevant executives on a regular and ad-hoc basis. Our Board of Directors has overall oversight responsibility for our enterprise risk management, and delegates cybersecurity risk management oversight to the Audit Committee as part of the Company’s enterprise risk management program and to the Technology and Innovation Committee as part of such committee’s oversight of our technologies and systems. The committees ensure that our management has processes and programs in place designed to identify and assess cybersecurity risks to which we are exposed and implements processes and programs designed to manage cybersecurity risks and mitigate and remediate cybersecurity incidents. The committees also report material cybersecurity risks to our full Board of Directors.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors has overall oversight responsibility for our enterprise risk management, and delegates cybersecurity risk management oversight to the Audit Committee as part of the Company’s enterprise risk management program and to the Technology and Innovation Committee as part of such committee’s oversight of our technologies and systems.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors conducts periodic reviews of our cybersecurity program, including cybersecurity risks, incidents, and mitigation strategies, based on reports and updates on status provided to our Audit Committee, Technology and Innovation Committee, and full Board of Directors by our Chief Information Security Officer (“CISO”) and other members of our cybersecurity teams and other relevant executives on a regular and ad-hoc basis.
Cybersecurity Risk Role of Management [Text Block]

Governance - Role of Management

Management is responsible for assessing, identifying, and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such cybersecurity risk exposures are monitored, putting in place appropriate prevention, detection, mitigation, and remediation controls and maintaining cybersecurity processes and programs.

Our CISO is a senior manager reporting to our Chief Financial Officer & Chief Operating Officer (“CFO & COO”). Our CISO leads our cybersecurity program and supervises teams operating across different geographies supporting our cybersecurity functions designed to prevent, detect, mitigate, and remediate cybersecurity incidents. Our cybersecurity teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical, administrative, and operational measures, and regularly report to our CISO. On an annual basis, and per request, our CISO provides reports and updates on the status of our cybersecurity program to our Board of Directors’ committees, including reports and updates on material cybersecurity risks, based on our management’s assessment of such risks, and all members of our Board of Directors are invited to join these sessions.

Our senior management has delegated the responsibility for ongoing governance of cybersecurity activities to a steering committee led by our CFO & COO and our Group President of Technology. Based on reports provided by our CISO to our senior management on a quarterly and ad-hoc basis, the steering committee is gathered at least quarterly to review and track cybersecurity activities, risks, incidents, and projects.

Our CISO has more than three decades of experience in various cybersecurity, product management, and other technology-related roles, and has extensive experience in assessing, identifying, and managing cybersecurity-related risks and implementing cybersecurity-related policies and strategies. Our CISO has also served in several leadership roles and has held his current position since 2018.

Our CFO & COO has more than three decades of experience in finance and risk management related roles and has also served in several leadership roles. Our CFO & COO has held her position as Chief Financial Officer since 2007 and her additional role as Chief Operating Officer since 2018.

Our Group President of Technology has more than two decades of experience in various technology, engineering and research and development roles. He has served in several leadership roles in the Company and has held the Group President position since 2018.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] On an annual basis, and per request, our CISO provides reports and updates on the status of our cybersecurity program to our Board of Directors’ committees, including reports and updates on material cybersecurity risks, based on our management’s assessment of such risks, and all members of our Board of Directors are invited to join these sessions.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CISO has more than three decades of experience in various cybersecurity, product management, and other technology-related roles, and has extensive experience in assessing, identifying, and managing cybersecurity-related risks and implementing cybersecurity-related policies and strategies. Our CISO has also served in several leadership roles and has held his current position since 2018.

Our CFO & COO has more than three decades of experience in finance and risk management related roles and has also served in several leadership roles. Our CFO & COO has held her position as Chief Financial Officer since 2007 and her additional role as Chief Operating Officer since 2018.

Our Group President of Technology has more than two decades of experience in various technology, engineering and research and development roles. He has served in several leadership roles in the Company and has held the Group President position since 2018.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our cybersecurity teams monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of technical, administrative, and operational measures, and regularly report to our CISO.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true