|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Jun. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cyber Risk Management Strategy
Adtalem recognizes the importance of safeguarding sensitive information pertaining to our students, employees, institutions, and operations. Our Cyber Risk Management Framework (“CRMF”) is designed to fortify our defenses against potential cyber threats and to protect the integrity, confidentiality, and availability of critical data. Our CRMF includes continuous risk assessments, threat modeling, vulnerability scans, and monitoring for indicators of compromise. These assessments inform control implementations based on likelihood and impact to operational, financial, and reputational harm.
Program Highlights
The CMRF is anchored by our Enterprise Information Security Framework (“EISF”), which adheres to the guidelines set forth by the National Institute of Standards and Technology (“NIST”) 800-53 Framework. To enhance comprehensiveness, our policies also harmonize with other leading frameworks such as the ISO 27001 Standard, Family Educational Rights and Privacy Act of 1974 (“FERPA”), Payment Card Industry Data Security Standard (“PCI DSS”), Gramm-Leach-Bliley Act (“GLBA”), California Consumer Privacy Act (“CCPA”), General Data Protection Regulation (“GDPR”), and other pertinent local, state, national, and international regulations governing data privacy and information security. Our cybersecurity program has adopted controls mapped to these frameworks and incorporated them into Adtalem’s policies, risk registers, control testing plans, and vendor assessments.
Our Chief Information Security Officer (“CISO”) manages Adtalem’s enterprise-wide cybersecurity program and reports to Adtalem’s Chief Financial Officer. The CISO has been responsible for assessing and managing material risks from cybersecurity threats at Adtalem since 2018. The CISO has over twenty years of information technology and cybersecurity experience, including executive leadership roles at Fortune 500 organizations within regulated sectors including financial services and healthcare. The CISO leads a team of experienced subject matter experts with focus on strategy formulation, architecture design, incident response, colleague training, risk management, and governance functions. This team includes diverse industry backgrounds spanning financial services, healthcare, and government. The CISO provides regular updates to executive management and ensures independent validation of key controls through internal and external reviews. The CISO’s function operates independently of IT operations, with direct access to the Audit and Finance Committee as needed.
The CISO team is supported by a Security Operations team reporting into the Information Technology (“IT”) function. This IT team provides engineering and technical expertise. The team is further supported by a 24x7 Security Operations Center (“SOC”). Adtalem has a Cyber Incident Response Plan (“Incident Response Plan”) that delineates the requirements of notification, classification, analysis, and communication of cybersecurity incidents based on the identified severity level. The Incident Response Plan includes initial steps to convene a response team, contain the incident, consider insurance notification requirements, determine the type of incident and escalation, consider the communications protocol and possible disclosure requirements, and consider involving law enforcement. The Incident Response Plan also provides for a lessons learned review to identify improvements that could be made. Adtalem’s Legal and Compliance teams also provide incident response support to the CISO and manage cybersecurity-related legal and compliance issues. Processes are in place to escalate cybersecurity incidents promptly so that decisions regarding public disclosure and regulatory reporting can be made by management in a timely manner.
An integral component of Adtalem’s Incident Response Plan is our Privacy Incident Response Plan (the “Privacy Response Plan”) which addresses privacy of our students’ records, including under the FERPA. The Privacy Response Plan requires annual training for our employees on how to recognize and report potential privacy incidents.
We regularly conduct Incident Response Plan tabletop exercises, including simulations of malware and ransomware attacks. Our IT environment and cybersecurity-related controls are reviewed by our internal audit function and external third parties. We sponsor third-party assessments, including cyber risk reviews and penetration testing, to evaluate our cybersecurity program independently.
Adtalem subjects its systems to penetration testing to identify potential exposures, ensuring that our infrastructure maintains an acceptable level of cyber risk. In addition, Adtalem leverages third-party experts to enhance its cybersecurity program and Incident Response Plan. Our organization has not identified or discovered any cybersecurity threats over the past three fiscal years that have materially impacted or are reasonably likely to materially impact our business strategy, operations, or financial condition. Expenses related to cybersecurity incidents have not been material.
Our year-round cybersecurity awareness program mandates training for all system users, covering essential topics such as safeguarding sensitive information, identifying phishing attempts, securing mobile devices, and understanding the risks associated with artificial intelligence (“AI”) platforms. Our cybersecurity awareness training is mandatory for all employees and is conducted at least annually, with targeted phishing simulation campaigns conducted throughout the year. Third-party suppliers are subject to a formal onboarding process that includes completion of a cybersecurity questionnaire, review of SOC 2 or ISO certifications where available, and risk scoring. New engagements with third parties are contingent
upon affirmative evaluations or adherence to risk mitigation/acceptance protocols. Contracts with third parties include provisions for breach notification, investigation, root cause analysis, and remediation.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Program Highlights
The CMRF is anchored by our Enterprise Information Security Framework (“EISF”), which adheres to the guidelines set forth by the National Institute of Standards and Technology (“NIST”) 800-53 Framework. To enhance comprehensiveness, our policies also harmonize with other leading frameworks such as the ISO 27001 Standard, Family Educational Rights and Privacy Act of 1974 (“FERPA”), Payment Card Industry Data Security Standard (“PCI DSS”), Gramm-Leach-Bliley Act (“GLBA”), California Consumer Privacy Act (“CCPA”), General Data Protection Regulation (“GDPR”), and other pertinent local, state, national, and international regulations governing data privacy and information security. Our cybersecurity program has adopted controls mapped to these frameworks and incorporated them into Adtalem’s policies, risk registers, control testing plans, and vendor assessments.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity is acknowledged as an important enterprise risk at Adtalem. Our Audit and Finance Committee (“AFC”), comprised entirely of independent directors, is responsible for oversight of risks from cybersecurity threats. The Chair of our AFC has received a CERT certificate in Cybersecurity Oversight from Carnegie Mellon University in partnership with the National Association of Corporate Directors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit and Finance Committee (“AFC”)
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Cybersecurity is acknowledged as an important enterprise risk at Adtalem. Our Audit and Finance Committee (“AFC”), comprised entirely of independent directors, is responsible for oversight of risks from cybersecurity threats. The Chair of our AFC has received a CERT certificate in Cybersecurity Oversight from Carnegie Mellon University in partnership with the National Association of Corporate Directors.
|Cybersecurity Risk Role of Management [Text Block]
|Our Chief Information Security Officer (“CISO”) manages Adtalem’s enterprise-wide cybersecurity program and reports to Adtalem’s Chief Financial Officer.The CISO leads a team of experienced subject matter experts with focus on strategy formulation, architecture design, incident response, colleague training, risk management, and governance functions. This team includes diverse industry backgrounds spanning financial services, healthcare, and government. The CISO provides regular updates to executive management and ensures independent validation of key controls through internal and external reviews. The CISO’s function operates independently of IT operations, with direct access to the Audit and Finance Committee as needed.Our CISO briefs the AFC on cybersecurity matters, including the evolving threat landscape and Adtalem’s threat mitigation efforts, four times a year. At each quarterly meeting, the Chair of our AFC also briefs the full Board on cybersecurity matters discussed at AFC meetings. Cybersecurity risks are also reviewed and discussed with the AFC and the full Board as part of our annual enterprise risk management (“ERM”) assessment.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (“CISO”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has been responsible for assessing and managing material risks from cybersecurity threats at Adtalem since 2018. The CISO has over twenty years of information technology and cybersecurity experience, including executive leadership roles at Fortune 500 organizations within regulated sectors including financial services and healthcare.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our CISO briefs the AFC on cybersecurity matters, including the evolving threat landscape and Adtalem’s threat mitigation efforts, four times a year.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef