|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Sep. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity forms a critical component of the services we provide to our customers. We collect and utilize many different types of information, including financial, medical, human resources, and other personal information. Federal and state laws and regulations, contractual obligations, and national and international industry standards, impose obligations on us to protect the confidentiality, integrity, and availability of information relating to employees, clients, vendors, patients, and citizens. We maintain an Information Security Office (ISO), whose mission is to protect the confidentiality, integrity, and availability of data through administrative, technical, and physical safeguards.
Identifying, assessing, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process, which is our approach to identifying, assessing, and mitigating major risks. Cybersecurity threats are evaluated based on our perceived vulnerability to a particular threat and the potential impact such a threat could have, with mitigation efforts focused on the highest risks. This risk assessment is updated no less than annually and reviewed by the Board of Directors.
We have experienced cybersecurity incidents that were immaterial and, as previously disclosed, in the third quarter of fiscal year 2023, we experienced a material cybersecurity incident as the personal information of a significant number of individuals was accessed by an unauthorized third-party exploiting a zero-day vulnerability in a third-party vendor's file transfer application used by many organizations, including us. We recorded expenses in connection with the investigation and remediation activities related to this incident; further details are included in "Note 15. Commitments and Contingencies" in Item 8 of this Annual Report on Form 10-K. To date, we are not aware of any other cybersecurity incidents that have had a material effect on our business. Despite our preventative and remediation efforts, we may continue to experience cybersecurity incidents in the future. There can be no guarantee that such efforts will be sufficient to protect our information systems, information, and other assets from significant harm and that future cybersecurity incidents will not have a material adverse effect on our results of operations or financial condition or cause reputational or other harm to us. Refer to Item 1A of this Form 10-K, which includes a section on "Risks Pertaining to Data and Data Security," for further discussion of the associated risks.
We engage third parties to conduct independent cybersecurity assessments. The assessments include technical control reviews of new technologies, penetration testing, and ongoing monitoring of our security posture. We also rely on third parties to conduct annual audits to maintain cybersecurity certifications, such as ISO27001 and Cyber Essentials. As a government contractor, we are also subject to numerous Service Organization Control (SOC) audits each year to fulfill contractual requirements.
The ISO manages our security vendor risk management program. Each vendor’s cybersecurity risk is ranked using a risk tiering calculator. The calculator is designed to provide a consistent methodology for evaluating key risk factors, such as the type of service or product the vendor provides and the location and classification of data. For high- and moderate-risk vendors, an assessment is completed that includes reviewing external audits and certifications (e.g., SOC 2 Type 2 audit, ISO27001 and associated Statement of Applicability, or FedRAMP). As needed, an industry-standard questionnaire is completed by the vendor and the results assessed by ISO in an effort to ascertain the vendor's information security maturity and overall posture. High-risk vendors are re-evaluated annually while moderate-risk vendors are evaluated every three years. Ongoing monitoring is in place for all high and moderate risk vendors using an external service that rates the cybersecurity posture of corporate entities using a scored analysis of cyber threats.
We are in the process of implementing an enterprise-wide third-party risk management program that expands the review of vendors and includes financial and operational screening. This new solution is designed to help ensure compliance with the National Institute of Standards and Technology (NIST) supply chain risk framework that is required when supporting federal agencies.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Identifying, assessing, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process, which is our approach to identifying, assessing, and mitigating major risks. Cybersecurity threats are evaluated based on our perceived vulnerability to a particular threat and the potential impact such a threat could have, with mitigation efforts focused on the highest risks. This risk assessment is updated no less than annually and reviewed by the Board of Directors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Oversight for risk management and the overall enterprise risk management strategy of the Company, including cybersecurity, is the responsibility of the Board of Directors. Risks identified are monitored by the Board as a whole or the Board may delegate oversight to a specific subcommittee. Our Technology Committee, comprised of four board members possessing relevant background and experience, assists the Board of Directors in its oversight role with respect to strategy and risk management for our information systems, IT, and cybersecurity.
The Technology Committee is briefed at least quarterly, on the quality and effectiveness of our cybersecurity practices and policies, information security program, and data governance and security program, along with key initiatives in these areas. The Technology Committee also periodically assesses the cybersecurity risk management strategy. This assessment includes reviews of the results of audits, testing, and metrics, including reports of third-party reviewers.In the event of a cybersecurity incident, we have an incident response process and an escalation process in place to promptly identify, notify and brief the Board, including the Chair of the Technology Committee, outside of the regular reporting process in the event of an emerging or potentially material cybersecurity incident. The Board of Directors may choose to delegate responsibility for oversight of a particular cybersecurity matter to the Technology Committee in its discretion.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our cybersecurity response is handled by our information security team and managed by our Chief Information Security Officer (CISO), who reports to the Chief Financial Officer. Our CISO has over thirty years of business and technical experience in information risk, risk management, and regulatory compliance, including thirteen years in a CISO role. Our information security team manages risks by establishing policies and procedures that manage information system access appropriately. These policies and procedures are tested through internal exercises and with external assistance and supplemented by training and communication to our employees and subcontractors.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO reports to the Technology Committee as requested, but no less than quarterly.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity response is handled by our information security team and managed by our Chief Information Security Officer (CISO), who reports to the Chief Financial Officer. Our CISO has over thirty years of business and technical experience in information risk, risk management, and regulatory compliance, including thirteen years in a CISO role. Our information security team manages risks by establishing policies and procedures that manage information system access appropriately. These policies and procedures are tested through internal exercises and with external assistance and supplemented by training and communication to our employees and subcontractors.Cybersecurity threats are constantly evolving, which drives the evolution of our responses. Typical activities for our information security team include system monitoring, new hire and annual training, testing and evaluation, including "phishing" exercises, and publication of tips and best practices. The results of this testing are communicated to corporate leadership, including to the Technology Committee of the Board of Directors. Our CISO reports to the Technology Committee as requested, but no less than quarterly.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity response is handled by our information security team and managed by our Chief Information Security Officer (CISO), who reports to the Chief Financial Officer. Our CISO has over thirty years of business and technical experience in information risk, risk management, and regulatory compliance, including thirteen years in a CISO role.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over thirty years of business and technical experience in information risk, risk management, and regulatory compliance, including thirteen years in a CISO role.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Cybersecurity threats are constantly evolving, which drives the evolution of our responses. Typical activities for our information security team include system monitoring, new hire and annual training, testing and evaluation, including "phishing" exercises, and publication of tips and best practices. The results of this testing are communicated to corporate leadership, including to the Technology Committee of the Board of Directors. Our CISO reports to the Technology Committee as requested, but no less than quarterly.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef