Annual report [Section 13 and 15(d), not S-K Item 405]

Cybersecurity Risk Management and Strategy Disclosure

v3.25.3
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Sep. 30, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

 

We believe cybersecurity plays a strategic role in ensuring smooth business operations. We are committed to developing, implementing and maintaining cybersecurity measures and processes that are designed to safeguard our information systems, data and operations, and to assess, identify and manage cybersecurity threats that may impact our business.

 

We operationalize our cybersecurity program through an information security management system based on the ISO/IEC 27001:2022 standard. This does not imply that we meet any particular technical standards, specifications, or requirements - only that we use the ISO/IEC 27001:2022 standard as a guide in designing and implementing our cybersecurity program. We believe designing and building our cybersecurity program around best practices and principles helps support robust business continuity.

 

Our cybersecurity program is integrated into our overall risk management processes. Key elements of our cybersecurity risk management program include, among others:

 

 

Ongoing cybersecurity training and testing for all employees;
 

Regular patching, vulnerability scanning, penetration testing, and network monitoring;
 

Robust IT infrastructure to help reduce opportunities for adverse exploitation;
 

Operational processes that reinforce cybersecurity policies and IT controls;
 

Regular audits to assess our cybersecurity posture, maturity, and progress;
 

A cybersecurity incident response plan operationalized in a governance, risk, and compliance (“GRC”) platform; and
 

A third-party risk management process for enterprise software vendors that includes reviewing System and Organization Control 1 and 2 (SOC 1 and SOC 2) reports and onboarding and maintenance processes for suppliers that include cybersecurity assessments.

 

While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date we have not experienced any cybersecurity incidents that have materially affected our business strategy, financial condition, or results of operations. The cybersecurity threat landscape continues to evolve and escalate. We are subject to ongoing risks from cybersecurity threats that could materially affect our business strategy, financial condition, or results of operations, as further described in Part I, Item 1A, “Risk Factors” of this Annual Report on Form 10-K.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] We operationalize our cybersecurity program through an information security management system based on the ISO/IEC 27001:2022 standard. This does not imply that we meet any particular technical standards, specifications, or requirements - only that we use the ISO/IEC 27001:2022 standard as a guide in designing and implementing our cybersecurity program. We believe designing and building our cybersecurity program around best practices and principles helps support robust business continuity.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date we have not experienced any cybersecurity incidents that have materially affected our business strategy, financial condition, or results of operations. The cybersecurity threat landscape continues to evolve and escalate. We are subject to ongoing risks from cybersecurity threats that could materially affect our business strategy, financial condition, or results of operations, as further described in Part I, Item 1A, “Risk Factors” of this Annual Report on Form 10-K.
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

 

Our Board of Directors includes cybersecurity risk as part of its overall risk oversight function, and has delegated to our Audit Committee responsibility for overseeing, reviewing and discussing with management: (i) our cybersecurity, information technology and data security risks and threats; (ii) the potential impact of those risks and threats on our business, operations, and reputation; and (iii) management’s processes, procedures and actions to identify, assess, monitor, mitigate, and remediate such risks and threats. Our Chief Information Officer, who reports to our Chief Executive Officer, provides the Board and the Audit Committee regular reports and assessments on our cybersecurity program and material cybersecurity risks. In addition, our Chief Information Officer updates the Board and the Audit Committee, as appropriate, regarding significant cybersecurity incidents should they occur.

 

 

A cybersecurity incidence response team comprised of key function heads and personnel, including IT, Finance, Legal, and Human Resources, provides operational support for clarifying and acting on cybersecurity issues, including decision-making around materiality, escalation and disclosure. Our cybersecurity program is principally managed by our Information Security Manager, who reports to our Chief Information Officer. Together, our Information Security Manager and our Chief Information Officer have over 50 years of experience in IT, including developing, implementing, and operating IT controls. Our Chief Information Officer and our Information Security Manager manage cybersecurity risks by continually working to reduce risks, respond appropriately to incidents, and invest in hardening our attack surface to improve our cybersecurity posture. Our GRC platform is designed to provide reliability in identifying, tracking, and mitigating cybersecurity risks. We also engage third party assessors, consultants, and auditors to extend internal team capabilities and support our cybersecurity program, including engaging a cybersecurity service provider that provides 24/7 continuous managed detection and response services.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors includes cybersecurity risk as part of its overall risk oversight function, and has delegated to our Audit Committee responsibility for overseeing, reviewing and discussing with management: (i) our cybersecurity, information technology and data security risks and threats; (ii) the potential impact of those risks and threats on our business, operations, and reputation; and (iii) management’s processes, procedures and actions to identify, assess, monitor, mitigate, and remediate such risks and threats. Our Chief Information Officer, who reports to our Chief Executive Officer, provides the Board and the Audit Committee regular reports and assessments on our cybersecurity program and material cybersecurity risks. In addition, our Chief Information Officer updates the Board and the Audit Committee, as appropriate, regarding significant cybersecurity incidents should they occur.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors includes cybersecurity risk as part of its overall risk oversight function, and has delegated to our Audit Committee responsibility for overseeing, reviewing and discussing with management: (i) our cybersecurity, information technology and data security risks and threats; (ii) the potential impact of those risks and threats on our business, operations, and reputation; and (iii) management’s processes, procedures and actions to identify, assess, monitor, mitigate, and remediate such risks and threats. Our Chief Information Officer, who reports to our Chief Executive Officer, provides the Board and the Audit Committee regular reports and assessments on our cybersecurity program and material cybersecurity risks. In addition, our Chief Information Officer updates the Board and the Audit Committee, as appropriate, regarding significant cybersecurity incidents should they occur.
Cybersecurity Risk Role of Management [Text Block] A cybersecurity incidence response team comprised of key function heads and personnel, including IT, Finance, Legal, and Human Resources, provides operational support for clarifying and acting on cybersecurity issues, including decision-making around materiality, escalation and disclosure. Our cybersecurity program is principally managed by our Information Security Manager, who reports to our Chief Information Officer. Together, our Information Security Manager and our Chief Information Officer have over 50 years of experience in IT, including developing, implementing, and operating IT controls. Our Chief Information Officer and our Information Security Manager manage cybersecurity risks by continually working to reduce risks, respond appropriately to incidents, and invest in hardening our attack surface to improve our cybersecurity posture. Our GRC platform is designed to provide reliability in identifying, tracking, and mitigating cybersecurity risks. We also engage third party assessors, consultants, and auditors to extend internal team capabilities and support our cybersecurity program, including engaging a cybersecurity service provider that provides 24/7 continuous managed detection and response services.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] A cybersecurity incidence response team comprised of key function heads and personnel, including IT, Finance, Legal, and Human Resources, provides operational support for clarifying and acting on cybersecurity issues, including decision-making around materiality, escalation and disclosure. Our cybersecurity program is principally managed by our Information Security Manager, who reports to our Chief Information Officer. Together, our Information Security Manager and our Chief Information Officer have over 50 years of experience in IT, including developing, implementing, and operating IT controls. Our Chief Information Officer and our Information Security Manager manage cybersecurity risks by continually working to reduce risks, respond appropriately to incidents, and invest in hardening our attack surface to improve our cybersecurity posture. Our GRC platform is designed to provide reliability in identifying, tracking, and mitigating cybersecurity risks. We also engage third party assessors, consultants, and auditors to extend internal team capabilities and support our cybersecurity program, including engaging a cybersecurity service provider that provides 24/7 continuous managed detection and response services.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] A cybersecurity incidence response team comprised of key function heads and personnel, including IT, Finance, Legal, and Human Resources, provides operational support for clarifying and acting on cybersecurity issues, including decision-making around materiality, escalation and disclosure. Our cybersecurity program is principally managed by our Information Security Manager, who reports to our Chief Information Officer. Together, our Information Security Manager and our Chief Information Officer have over 50 years of experience in IT, including developing, implementing, and operating IT controls. Our Chief Information Officer and our Information Security Manager manage cybersecurity risks by continually working to reduce risks, respond appropriately to incidents, and invest in hardening our attack surface to improve our cybersecurity posture. Our GRC platform is designed to provide reliability in identifying, tracking, and mitigating cybersecurity risks. We also engage third party assessors, consultants, and auditors to extend internal team capabilities and support our cybersecurity program, including engaging a cybersecurity service provider that provides 24/7 continuous managed detection and response services.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our Board of Directors includes cybersecurity risk as part of its overall risk oversight function, and has delegated to our Audit Committee responsibility for overseeing, reviewing and discussing with management: (i) our cybersecurity, information technology and data security risks and threats; (ii) the potential impact of those risks and threats on our business, operations, and reputation; and (iii) management’s processes, procedures and actions to identify, assess, monitor, mitigate, and remediate such risks and threats. Our Chief Information Officer, who reports to our Chief Executive Officer, provides the Board and the Audit Committee regular reports and assessments on our cybersecurity program and material cybersecurity risks. In addition, our Chief Information Officer updates the Board and the Audit Committee, as appropriate, regarding significant cybersecurity incidents should they occur.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true