|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Jun. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have implemented and maintain information security processes and risk management practices designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and to our critical data, including intellectual property and personal data, confidential information that is proprietary, strategic or competitive in nature, collectively referred to as “Information Systems and Data.”
Our information security functions, including our CyberSecurity Center of Excellence, or CSCoE, and Information Security, or IS, team, are dedicated to identifying, assessing and managing the Company’s cybersecurity threats and risks. We do this by using various methods, including, for example, using manual and automated tools to (i) conduct threat assessments for internal and external threats, (ii) conduct vulnerability assessments to identify vulnerabilities, (iii) perform penetration testing, (iv) evaluate our and our industry’s risk profile as well as threats reported to us, (v) perform internal and external audits of our security data procedures, (vi) conduct employee training, (vii) monitor emerging laws and regulations related to data protection and information security, and (viii) third-party conducted table-top incident response exercises to test our security processes.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: (i) implementing an incident response plan and policies; (ii) implementing disaster recovery and business continuity plans; (iii) conducting regular risk assessments of our vendors and vulnerabilities; (iv) encrypting certain data; (v) putting in place network security controls and access controls; (vi) systems tracking and monitoring; (vii) implementing certain security standards and achievement of certain security certifications; (viii) segregating certain data where appropriate; and (ix) maintaining cybersecurity insurance.
Before beginning the use of products or services which could expose confidential information of us or our clients to any third party and/or which would be critical to the provision of services to our clients, we have processes in place designed to assess the risks that the use of a vendor and any associated products/services pose. In order to perform such an assessment, we have developed a vendor risk management program to manage cybersecurity risks associated with the use of third-party providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, our vendor risk management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose on the provider contractual obligations related to cybersecurity. The vendor risk management program includes a risk assessment that is performed through security questionnaires, review of business continuity and disaster recovery preparedness documentation, review of security accreditations, evaluation of penetration testing assessments, internet footprint and in-context technical risk assessments.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (i) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program and identified in the Company’s risk register, (ii) our Risk Committee and CISO evaluate and monitor material risks from cybersecurity threats against our overall business objectives, and (iii) the Audit Committee and Board of Directors are provided with regular updates on our risk register and cybersecurity events, including response plans and remedial actions.We use third-party service providers to assist us from time to time to identify, assess, and manage material issues from cybersecurity threats, including third-party firms who run table-top exercises to test our security processes and provide penetration testing to test the integrity of our IT estate.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (i) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program and identified in the Company’s risk register, (ii) our Risk Committee and CISO evaluate and monitor material risks from cybersecurity threats against our overall business objectives, and (iii) the Audit Committee and Board of Directors are provided with regular updates on our risk register and cybersecurity events, including response plans and remedial actions.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors is responsible for our overall cybersecurity risk management as part of its general oversight function and delegates to the Audit Committee oversight of management’s assessment and management of risks relating to cybersecurity, and the steps management has taken to monitor and mitigate such risks. The Audit Committee advises management and the Company’s auditors on the adequacy and effectiveness of Endava’s information security and cybersecurity policies and is responsible for the remediation and mitigation of cybersecurity items on the Company’s internal risk register as part of its role in ensuring adequate internal controls and procedures.
Each quarter, our Information Security team prepares a report on cybersecurity events, risks, mitigation actions and strategy, and the Chief Information Security Officer, or “CISO”, presents this to the Board of Directors. Our cybersecurity risk assessment and management processes are implemented and maintained by our CISO, who is also responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CISO has over 40 years of experience in senior IT and technology roles, focused over the last 25 years on security in both the public and private sectors including CISO roles for the UK government, law enforcement, global technology companies and FTSE100 companies. Our Information Security team is comprised of a dedicated team of security experts with extensive cybersecurity qualifications and certifications and specialized experience in the cybersecurity domain. Members of our CSCoE, offensive security team and governance, risk and compliance teams have experience in information security, cyber threat defense, risk management, IT systems auditing, process analysis, personal data protection, security awareness and physical security. These teams are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our CSCoE and Information Security teams track and log cybersecurity events across the Company, including those related to our vendors and third-party service providers. These events are categorized and assigned a severity score. Significant cybersecurity events are reviewed regularly and, if appropriate, escalated to a multidisciplinary Risk Assessment Team (that includes members of the Security, Legal, Data Protection, Finance teams) which investigates and responds to the cybersecurity event. If the Risk Assessment Team deems the cybersecurity event as a potentially material incident, it is escalated to the Materiality Assessment Team, which is made up of our Chief Financial Officer, General Counsel, Chief Information Security Officer, Chief Technology Officer, Chief Operating Officer, Chief People Officer and Chief Information Officer, for any additional investigation and materiality determination. The Materiality Assessment Team escalates any potentially material cybersecurity incidents to the Board of Directors and we consult with outside counsel as appropriate to assess potential disclosure obligations.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board of Directors is responsible for our overall cybersecurity risk management as part of its general oversight function and delegates to the Audit Committee oversight of management’s assessment and management of risks relating to cybersecurity, and the steps management has taken to monitor and mitigate such risks. The Audit Committee advises management and the Company’s auditors on the adequacy and effectiveness of Endava’s information security and cybersecurity policies and is responsible for the remediation and mitigation of cybersecurity items on the Company’s internal risk register as part of its role in ensuring adequate internal controls and procedures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Each quarter, our Information Security team prepares a report on cybersecurity events, risks, mitigation actions and strategy, and the Chief Information Security Officer, or “CISO”, presents this to the Board of Directors.
|Cybersecurity Risk Role of Management [Text Block]
|Our cybersecurity risk assessment and management processes are implemented and maintained by our CISO, who is also responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CISO has over 40 years of experience in senior IT and technology roles, focused over the last 25 years on security in both the public and private sectors including CISO roles for the UK government, law enforcement, global technology companies and FTSE100 companies. Our Information Security team is comprised of a dedicated team of security experts with extensive cybersecurity qualifications and certifications and specialized experience in the cybersecurity domain. Members of our CSCoE, offensive security team and governance, risk and compliance teams have experience in information security, cyber threat defense, risk management, IT systems auditing, process analysis, personal data protection, security awareness and physical security. These teams are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our CSCoE and Information Security teams track and log cybersecurity events across the Company, including those related to our vendors and third-party service providers. These events are categorized and assigned a severity score. Significant cybersecurity events are reviewed regularly and, if appropriate, escalated to a multidisciplinary Risk Assessment Team (that includes members of the Security, Legal, Data Protection, Finance teams) which investigates and responds to the cybersecurity event. If the Risk Assessment Team deems the cybersecurity event as a potentially material incident, it is escalated to the Materiality Assessment Team, which is made up of our Chief Financial Officer, General Counsel, Chief Information Security Officer, Chief Technology Officer, Chief Operating Officer, Chief People Officer and Chief Information Officer, for any additional investigation and materiality determination. The Materiality Assessment Team escalates any potentially material cybersecurity incidents to the Board of Directors and we consult with outside counsel as appropriate to assess potential disclosure obligations.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Each quarter, our Information Security team prepares a report on cybersecurity events, risks, mitigation actions and strategy, and the Chief Information Security Officer, or “CISO”, presents this to the Board of Directors. Our cybersecurity risk assessment and management processes are implemented and maintained by our CISO, who is also responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CISO has over 40 years of experience in senior IT and technology roles, focused over the last 25 years on security in both the public and private sectors including CISO roles for the UK government, law enforcement, global technology companies and FTSE100 companies. Our Information Security team is comprised of a dedicated team of security experts with extensive cybersecurity qualifications and certifications and specialized experience in the cybersecurity domain. Members of our CSCoE, offensive security team and governance, risk and compliance teams have experience in information security, cyber threat defense, risk management, IT systems auditing, process analysis, personal data protection, security awareness and physical security. These teams are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has over 40 years of experience in senior IT and technology roles, focused over the last 25 years on security in both the public and private sectors including CISO roles for the UK government, law enforcement, global technology companies and FTSE100 companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CSCoE and Information Security teams track and log cybersecurity events across the Company, including those related to our vendors and third-party service providers. These events are categorized and assigned a severity score. Significant cybersecurity events are reviewed regularly and, if appropriate, escalated to a multidisciplinary Risk Assessment Team (that includes members of the Security, Legal, Data Protection, Finance teams) which investigates and responds to the cybersecurity event. If the Risk Assessment Team deems the cybersecurity event as a potentially material incident, it is escalated to the Materiality Assessment Team, which is made up of our Chief Financial Officer, General Counsel, Chief Information Security Officer, Chief Technology Officer, Chief Operating Officer, Chief People Officer and Chief Information Officer, for any additional investigation and materiality determination. The Materiality Assessment Team escalates any potentially material cybersecurity incidents to the Board of Directors and we consult with outside counsel as appropriate to assess potential disclosure obligations.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef