JONES LANG LASALLE INC - (JLL)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
To respond to the threat of security breaches and cyberattacks, we have developed a cybersecurity program, the implementation of which is led by our Global Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”). Our cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information and systems owned by us, or in our care. The Audit and Risk Committee of our Board of Directors has oversight of cybersecurity per its charter and as disclosed in our proxy statement. In addition, cybersecurity is reviewed as part of our overall enterprise risk management program, led by our Director of Enterprise Risk Management, which assesses our significant enterprise risks, provides a summary of those risks and primary mitigations, identifies control improvement projects for our significant risks, and regularly reports on the progress of control improvement projects for those risks to our GEB and the Audit & Risk Committee of our Board of Directors. Our Director of Enterprise Risk Management regularly meets with our CISO and CIO to assess our cybersecurity risks, cybersecurity program mitigants and status of control improvement projects.
Like other companies with a large technology footprint and high-profile client base, we are regularly subject to cyberattacks. While certain attacks have been successful, thus far none have had a material impact to our operations or clients. In the future, it is possible such attacks could be successful and have a material impact on our operations or our clients’ operations. Our cybersecurity program strategy is to implement layered controls to reduce our cybersecurity risk by minimizing both the likelihood and potential impact of cybersecurity events. These controls are aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework.
Our CISO leads our cybersecurity program, holds a master's degree in computer and network forensics and has over twenty years of relevant experience, including cybersecurity and enterprise security leadership roles for large global organizations and within the U.S. government. Our CISO leads a global team of cybersecurity professionals with relevant prior employment experience at global financial services firms, leading technology companies, cybersecurity providers, the government and the military.
39

Table of Contents
Our CISO reports to our CIO who is responsible for the development and implementation of our technology, data and information management strategy. Our CIO has over twenty years of experience in technology, data management, data science and analytics, earned a bachelor's degree in mechanical engineering and a master's degree in industrial engineering – operations research. Before joining JLL, our CIO previously held positions as Chief Data Officer, Global Head of Customer Intelligence, Head of Global Analytics and Head of Product Management for a large global financial services institution.
We engage third-party consultants in connection with our cybersecurity program for assessing, identifying and managing material risks from cybersecurity threats. These third-parties provide testing and advisory services to identify risks, improve the quality of controls, and ensure JLL is well-positioned to respond to cybersecurity incidents.
Our cybersecurity program also includes assessments of cybersecurity threats associated with our use of certain third-party service providers. JLL leverages pre-procurement security assessments and post-procurement continuous monitoring to evaluate the security risk of certain third-party service providers. We regularly engage third-parties to provide technology and/or to perform facilities management and project management services to our clients, where we have imperfect visibility into our third-parties’ susceptibility to cybersecurity threats and/or their controls.
We maintain a robust cyber incident response plan that includes controls and procedures designed to allow timely and accurate reporting of any material cybersecurity incident. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources as well. We provide at least annual information security training program for employees who have access to JLL or client related sensitive or personal information and regularly conduct phishing tests and education.
In 2023, we established a management executive committee that consists of our CISO, Chief Financial Officer, Chief Legal Officer, and Chief Accounting Officer that is responsible for determining if a cybersecurity incident is material to the Company and requires disclosure. In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification.
Although we have not experienced any material cybersecurity events to date, cybersecurity threats could materially affect our business strategy, results of operations, or financial condition, as further discussed in our “Operational Risk Factors” in Item 1A, Risk Factors, of this report. Our business is highly dependent on our ability to collect, use, store and manage organizational and client data. If any of our significant information and data management systems do not operate properly or are disabled, we could suffer a material disruption of our businesses, liability to clients, loss of client or other sensitive data, loss of employee data, regulatory intervention, breach of confidentiality or other contract provisions, or reputational damage. These systems may fail to operate properly or become disabled as a result of events wholly or partially beyond our control, including disruptions of electrical or communications services, natural disasters, political instability, terrorist attacks, sabotage, computer viruses, deliberate attempts to disrupt our computer systems through "hacking," "phishing," or other forms of both deliberate or unintentional cyber-attack, or our inability to occupy one or more of our office locations. As we outsource significant portions of our information technology functions to third-party providers, such as cloud computing, we bear the risk of having less direct control over the security and performance of those systems.
Our cybersecurity risk is affected by cyber threats that are proliferating and advancing their ability to identify and exploit vulnerabilities, requiring continuous evaluation and improvements to our security architecture and cyber defenses. We also face increased cybersecurity risk as we deploy additional mobile and cloud technologies. We are continuously hardening our infrastructure built on these technologies, monitoring for threats, and evaluating our capability to respond to any incidents to minimize any impact to our systems, data, or business operations. Because we service clients across multiple industry verticals — many of which are higher-profile cyber targets themselves — including financial services, technology, government institutions, healthcare and life sciences, this also may increase the risk that we are subject to cyber-attack incidents.
As noted above, we have experienced various types of cyber-attack incidents which thus far have been contained and not material to us. We continue to implement new controls, governance, technical protections and other procedures to mitigate against the risks of a cybersecurity event. We also maintain a cyber risk insurance policy but the costs related to cybersecurity threats or disruptions may not be fully insured. We may incur substantial costs and suffer other negative consequences such as liability, reputational harm and significant remediation costs and experience material harm to our business and financial results if we, or vendors or suppliers we engage on behalf of our clients, fall victim to other successful cyberattacks.
40

Table of Contents
Our Management and the Board of Directors provide significant oversight of risks from cybersecurity threats and are informed about and closely monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. In May 2022, in furtherance of ensuring appropriate oversight of our cybersecurity and information technology readiness, the Board adopted an amended charter of the Audit Committee which added cybersecurity and information technology readiness as part of the committee’s purpose. In addition, the Audit Committee was renamed to the “Audit and Risk Committee” to more accurately align with its responsibility to assist the Board in overseeing our policies, program and related risks identified as part of the enterprise risk management framework and cybersecurity and information technology.
The Audit and Risk Committee and management’s Cyber Governance Committee receive regular reports from our CIO and CISO on our information security program including our top cybersecurity risks, cybersecurity strategy, information system controls and related security measures and improvements, cyber incident response plan, cyber incidents and cyber defense metrics, and cyber security protocols and trainings. These regular reports also are shared with the full Board of Directors.