|
Cybersecurity Risk Management, Strategy, and Governance Disclosure
|12 Months Ended
Jun. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that we process. Cybersecurity risk management is an integral part of our overall enterprise risk management efforts. We manage cybersecurity risks using a framework based on applicable regulations, industry standards, and recognized best practices. Through this framework, we devote significant resources to identifying, monitoring, assessing, and responding to cybersecurity threats and incidents, including those associated with our use of third-party software, applications, services, and cloud infrastructure.
Our Cybersecurity Program includes multiple policies, procedures, and other components designed to identify, analyze, and respond to cybersecurity risks, including reliance on a layered system of preventative and detective technologies and controls designed to detect, mitigate, and contain cybersecurity threats. As part of our Cybersecurity Program, we maintain a Written Information Security Plan that outlines internal controls and procedures designed to protect our information systems. Our Cybersecurity Program contains a comprehensive suite of cybersecurity policies that are commensurate with companies in our industry of similar size and sophistication, and these policies are also informed by the sensitivity of our data processing activities. Our Cybersecurity Program also includes policies and procedures designed to ensure adequate business continuity, disaster recovery, and incident response. We also have access through our insurer to computer forensics firms and specialized legal counsel in case of a cybersecurity incident. While we maintain cybersecurity insurance to assist in the cost of recovery from a cybersecurity incident, such coverage may not be sufficient to cover all costs resulting from such incidents.
We leverage qualified third-party consultants, advisors, counsel, and other experts to inform, audit, and update our Cybersecurity Program throughout each year. We engage security assessors to identify vulnerabilities through both internal and external penetration tests and to perform cybersecurity maturity assessments. We perform risk assessments annually, or more frequently if circumstances require, using both internal and external resources. We may also be subject to examinations or disclosures by applicable regulators. We conduct annual cybersecurity training for employees to enhance awareness of how to detect and respond to cybersecurity threats, as well as periodic phishing training and testing campaigns. We also conduct periodic table-top exercises to simulate a response to a cybersecurity incident.
Our designated IT team members monitor cybersecurity threats in real time for the Company at the enterprise level, with the assistance of third-party threat detection and monitoring software. Cybersecurity threats at the subsidiary level are also monitored in real time by experienced IT professionals at those subsidiaries, including our IT leadership at JM Bullion, AMS, Pinehurst, LPM, and SGI. These individuals report cybersecurity incidents immediately to our Chief Information Officer ("CIO") and Chief Privacy Officer ("CPO"), who in turn follow approved incident response and reporting protocols, as more fully described below.
Our Cybersecurity Compliance and Disclosure Committee ("CCDC"), which is further described below, is chaired by our CIO and includes the General Counsel and the CPO of A-Mark and other representatives from the Company and our subsidiaries, including top-level management, to ensure enterprise-wide implementation and consistent application of the Company’s data security, privacy, and artificial intelligence policies and procedures. The CCDC regularly enlists internal and external subject matter experts to assist where necessary.
We also maintain a formal Vendor Management Program that provides oversight of cybersecurity risks related to our vendor and supplier relationships. During vendor onboarding, we perform risk-based due diligence on these third-parties, with heightened requirements for vendors that have access to confidential enterprise information, personal data, or that require access to our information systems. This Vendor Management Program includes specific cybersecurity requirements for our vendors, as well as ongoing monitoring, assessment, and contract review. Members of the CCDC are involved in and review the Vendor Management Program annually.
We also maintain a formal Generative Artificial Intelligence ("GAI") Policy and Program that provides oversight of cybersecurity, privacy, and contractual risks related to enterprise use of GAI. All GAI tools and use cases must be submitted for review and approval by a subcommittee of CCDC members based on specific cybersecurity, privacy, and contractual requirements.
To date, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all cybersecurity threats and incidents. For more information on the risks that we face from cybersecurity threats, see “Risk Factors – Risk Factors of General Applicability—Legislatures and regulators continue to scrutinize cybersecurity management and incident reporting.” in Part 1, Item 1A of this report.
Cybersecurity Governance
The Board has overall responsibility for risk oversight and has delegated oversight of our Cybersecurity Program, including enterprise-wide risk assessment and management, to the CCDC. The CCDC’s charter requires it to monitor Company efforts to prevent, detect, mitigate, and remediate cybersecurity incidents, and to comply with cybersecurity laws and regulations. The CCDC oversees and approves all Company policies and procedures related to cybersecurity. The CCDC also ensures that significant cybersecurity issues or concerns are reported to the Board and A-Mark’s CEO, and disclosed to the public, individuals, or regulators where required by law.
The CCDC directly oversees information technology and information security risks through regular meetings, reports from management on information technology, cybersecurity, and related risk assessments, and incidents disclosed by third-party service providers as applicable. If a cybersecurity threat is identified, our Vice President of IT or other reporting individuals will immediately inform our IT service desk and notify our CIO and CPO. Once the threat has been analyzed, our CIO and CPO will inform our General Counsel of any security incidents. The General Counsel or her delegate will report on the incident, as appropriate, to the CCDC, our CEO, President, CFO, and to the Board, either at the next scheduled meeting or on a current basis, depending on the severity of the incident. Each quarter, the enterprise CPO presents legal and regulatory updates concerning cybersecurity, security incident response and notification, privacy, and artificial intelligence. A-Mark’s CPO is certified by the International Association of Privacy Professionals as an EU, US, and management privacy professional, as well as an artificial intelligence governance professional. Our CPO has over a decade of privacy, data protection, and information management experience.
The CCDC reports at least quarterly to the Board and A-Mark’s CEO on the following topics, among possible others: our current risk posture and threat landscape; new material cybersecurity threats and high-risk exposures; risk mitigations and controls; incident response readiness; and updates to cybersecurity policies and procedures. The CCDC is also authorized and directed to report to the Board and A-Mark’s CEO promptly in the event of a significant cybersecurity incident, as appropriate.
A-Mark’s CIO chairs the CCDC. Our CIO brings over 15 years of IT experience to A-Mark. Since joining A-Mark in 2019, he has been pivotal in enhancing our data privacy compliance program, significantly strengthening our data protection and privacy measures, particularly ensuring protection of sensitive data. The co-vice chairs of the CCDC are A-Mark’s Vice President of IT and JM Bullion’s Vice President of Digital and Technology. Our Vice President of IT has over 25 years of experience in IT working in various industries including ecommerce, health care, and financial industries focusing on IT operations, cybersecurity and compliance. Since joining the company in 2014, he has been instrumental in the creation and growth of our cybersecurity program. Our Vice President of Digital and Technology at JM Bullion has comprehensive experience in the cybersecurity field. He successfully established a 24/7 security operation center (SOC) to continuously detect and respond to security incidents, as well as implemented various advanced services to proactively detect vulnerabilities on potential attack surfaces with high accuracy spanning across assets, applications, data, endpoints and network. He also centralized the workforce identity and access management (IAM) of the various systems for improved administration and control at the subsidiary level. He joined JM Bullion in 2015 and has served in his current role as Vice President of Digital and Technology since 2021.
Other members of the CCDC include top executives and management from the Company and its subsidiaries, including A-Mark’s General Counsel and Assistant General Counsel, CPO, President, Chief Financial Officer, Chief Operating Officer, Senior Director of Financial Reporting, Senior Director of Internal Audit, and Director of Enterprise Development and Administration, as well as JM Bullion’s President and Chief Executive Officer and its Chief Financial Officer. Finally, the CCDC is assisted by an external compliance consultant with over twenty years of IT experience, and A-Mark’s outside legal counsel for privacy and data security.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of company information and the personal information that we process. Cybersecurity risk management is an integral part of our overall enterprise risk management efforts.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of and risks from cybersecurity threats and incidents continue to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all cybersecurity threats and incidents. For more information on the risks that we face from cybersecurity threats, see “Risk Factors – Risk Factors of General Applicability—Legislatures and regulators continue to scrutinize cybersecurity management and incident reporting.”
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board has overall responsibility for risk oversight and has delegated oversight of our Cybersecurity Program, including enterprise-wide risk assessment and management, to the CCDC. The CCDC’s charter requires it to monitor Company efforts to prevent, detect, mitigate, and remediate cybersecurity incidents, and to comply with cybersecurity laws and regulations. The CCDC oversees and approves all Company policies and procedures related to cybersecurity. The CCDC also ensures that significant cybersecurity issues or concerns are reported to the Board and A-Mark’s CEO, and disclosed to the public, individuals, or regulators where required by law.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We also maintain a formal Generative Artificial Intelligence ("GAI") Policy and Program that provides oversight of cybersecurity, privacy, and contractual risks related to enterprise use of GAI
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|All GAI tools and use cases must be submitted for review and approval by a subcommittee of CCDC members based on specific cybersecurity, privacy, and contractual requirements.
|Cybersecurity Risk Role of Management [Text Block]
|The CCDC reports at least quarterly to the Board and A-Mark’s CEO on the following topics, among possible others: our current risk posture and threat landscape; new material cybersecurity threats and high-risk exposures; risk mitigations and controls; incident response readiness; and updates to cybersecurity policies and procedures.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Once the threat has been analyzed, our CIO and CPO will inform our General Counsel of any security incidents. The General Counsel or her delegate will report on the incident, as appropriate, to the CCDC, our CEO, President, CFO, and to the Board, either at the next scheduled meeting or on a current basis, depending on the severity of the incident.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|We leverage qualified third-party consultants, advisors, counsel, and other experts to inform, audit, and update our Cybersecurity Program throughout each year.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|If a cybersecurity threat is identified, our Vice President of IT or other reporting individuals will immediately inform our IT service desk and notify our CIO and CPO. Once the threat has been analyzed, our CIO and CPO will inform our General Counsel of any security incidents. The General Counsel or her delegate will report on the incident, as appropriate, to the CCDC, our CEO, President, CFO, and to the Board, either at the next scheduled meeting or on a current basis, depending on the severity of the incident.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef