|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We believe cyber security is of critical importance to our success. We are susceptible to a number of significant, persistent and evolving cyber security threats, including those common to most industries as well as those we face as a worldwide learning company with principal operations in the education, assessment and certifications markets. The Group holds large volumes of personal data on individuals worldwide, including that of employees, customers, students, teachers and learners in the workforce, as well as other highly sensitive business critical data such as financial data, internal sensitive information, and intellectual property. Despite our implementation of security measures, threat actors of all types, including individuals, criminal organisations and state sponsored operatives, have from time to time gained access, and may in the future gain access to the Group’s data through unauthorised means in order to misappropriate such information for fraudulent or other purposes. Failure to prevent or detect a malicious attack on the Group’s systems has in the past and could in future result in loss of system availability, breach of confidentiality, integrity and/ or availability of sensitive information, and damage to the customer experience and the Group’s reputation and financial loss. Accordingly, we continuously evaluate the impact of cyber security threats, and are committed to the highest standards of data management and these will naturally evolve with our business as we continue our digital transformation.
Pearson’s Executive team has overall responsibility for data privacy and security. Our reporting and risk management structure feeds upwards from individual businesses to Board level. Under the oversight of our Board of Directors, and the Audit Committee, our management has established comprehensive processes for identifying, assessing and managing material risks from cyber security threats, and these processes are
integratedinto our overall enterprise risk management programme. We have established lines of accountability and reporting procedures designed to enable senior management executives and business unit privacy owners to have greater visibility over managing data privacy and security risks.
Our approach is proactive and adaptive, featuring regular security assessments, third-party audits and continuous improvement of our cyber security infrastructure. We also provide all colleagues with training on our updated and strengthened data privacy and cyber security principles and processes.We work to align our practices with industry best practices and regulatory standards. Our processes include detailed response procedures to be followed in the event of a cybersecurity incident, which outline steps to be followed from detection to assessment and escalation to notification and recovery, including internal notifications to management, the Audit Committee and the Board, as appropriate.
The Audit Committee of our Board is primarily responsiblefor oversight of risks, including those from cyber security threats, and is currently chaired by a Director with functional expertise in cyber security matters. Members of management, including our Chief Information Officer provide the Executive Team and the Trust & Safety committees that have been established with updates on cyber security risk matters on a quarterly basis and more frequently if circumstances dictate. In these updates, members of the committees are apprised of cyber security incidents that are deemed to have had a moderate or higher impact even if immaterial to us. In addition, the committees review and actively discusses with management and among themselves the risks related to cyber security and critical systems in order to provide input on the appropriate level of risk for our Company and reviews management’s strategies for adequately mitigating and managing the identified risks. The Audit Committee and management regularly update our full Board with respect to cyber security matters.
Our Chief Information Officer is primarily responsible for managing material risks from cyber security threats, and is supported by a dedicated team of internal cyber security specialists led by a Chief Information Security Officer. Both our Chief Information Officer and Chief Information Security Officer have extensive information technology and cybersecurity experience respectively, and many of our internal team hold cyber security certifications such as Certified Information Systems Security Professional or Certified Information Security Manager. We also engage specialised cyber security consultants and leverage third-party expertise to bolster our cyber security defences.
In addition, our third-party vendors and service providers play a role in our cyber security. These third parties are integral to our operations but pose cyber security challenges due to their access to our data and our reliance for various aspects of our operations, including our supply chain. We have developed a third-party vendor risk management programme to assess and manage the risks associated with third-party partnerships, particularly in data security and cyber security. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
As of the date of this report, no cyber security incidents have had, either individually or in the aggregate, a material adverse effect on our business, financial condition or results of operations. Notwithstanding the extensive approach we take to cyber security, we may not be successful in preventing or mitigating a cyber security incident that could have a material adverse effect on us. While we maintain cyber risk insurance, the costs relating to certain kinds of security incidents could be substantial, and our insurance may not be sufficient to cover all losses related to any future incidents involving our data or systems.
See ‘Risk Factors’ on pages
228-233
for a discussion of cyber security risks that may materially impact us.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Under the oversight of our Board of Directors, and the Audit Committee, our management has established comprehensive processes for identifying, assessing and managing material risks from cyber security threats, and these processes are
integratedinto our overall enterprise risk management programme.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee of our Board is primarily responsiblefor oversight of risks, including those from cyber security threats, and is currently chaired by a Director with functional expertise in cyber security matters. Members of management, including our Chief Information Officer provide the Executive Team and the Trust & Safety committees that have been established with updates on cyber security risk matters on a quarterly basis and more frequently if circumstances dictate. In these updates, members of the committees are apprised of cyber security incidents that are deemed to have had a moderate or higher impact even if immaterial to us. In addition, the committees review and actively discusses with management and among themselves the risks related to cyber security and critical systems in order to provide input on the appropriate level of risk for our Company and reviews management’s strategies for adequately mitigating and managing the identified risks. The Audit Committee and management regularly update our full Board with respect to cyber security matters.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Chief Information Officer is primarily responsible for managing material risks from cyber security threats, and is supported by a dedicated team of internal cyber security specialists led by a Chief Information Security Officer. Both our Chief Information Officer and Chief Information Security Officer have extensive information technology and cybersecurity experience respectively, and many of our internal team hold cyber security certifications such as Certified Information Systems Security Professional or Certified Information Security Manager. We also engage specialised cyber security consultants and leverage third-party expertise to bolster our cyber security defences.
|Cybersecurity Risk Role of Management [Text Block]
|
The Audit Committee of our Board is primarily responsiblefor oversight of risks, including those from cyber security threats, and is currently chaired by a Director with functional expertise in cyber security matters. Members of management, including our Chief Information Officer provide the Executive Team and the Trust & Safety committees that have been established with updates on cyber security risk matters on a quarterly basis and more frequently if circumstances dictate. In these updates, members of the committees are apprised of cyber security incidents that are deemed to have had a moderate or higher impact even if immaterial to us. In addition, the committees review and actively discusses with management and among themselves the risks related to cyber security and critical systems in order to provide input on the appropriate level of risk for our Company and reviews management’s strategies for adequately mitigating and managing the identified risks. The Audit Committee and management regularly update our full Board with respect to cyber security matters.
Our Chief Information Officer is primarily responsible for managing material risks from cyber security threats, and is supported by a dedicated team of internal cyber security specialists led by a Chief Information Security Officer. Both our Chief Information Officer and Chief Information Security Officer have extensive information technology and cybersecurity experience respectively, and many of our internal team hold cyber security certifications such as Certified Information Systems Security Professional or Certified Information Security Manager. We also engage specialised cyber security consultants and leverage third-party expertise to bolster our cyber security defences.
In addition, our third-party vendors and service providers play a role in our cyber security. These third parties are integral to our operations but pose cyber security challenges due to their access to our data and our reliance for various aspects of our operations, including our supply chain. We have developed a third-party vendor risk management programme to assess and manage the risks associated with third-party partnerships, particularly in data security and cyber security. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Audit Committee of our Board is primarily responsiblefor oversight of risks, including those from cyber security threats, and is currently chaired by a Director with functional expertise in cyber security matters. Members of management, including our Chief Information Officer provide the Executive Team and the Trust & Safety committees that have been established with updates on cyber security risk matters on a quarterly basis and more frequently if circumstances dictate.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Audit Committee of our Board is primarily responsiblefor oversight of risks, including those from cyber security threats, and is currently chaired by a Director with functional expertise in cyber security matters.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Chief Information Officer is primarily responsible for managing material risks from cyber security threats, and is supported by a dedicated team of internal cyber security specialists led by a Chief Information Security Officer. Both our Chief Information Officer and Chief Information Security Officer have extensive information technology and cybersecurity experience respectively, and many of our internal team hold cyber security certifications such as Certified Information Systems Security Professional or Certified Information Security Manager.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef