|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Mar. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our business operations depend on the availability, integrity and secure processing, storage, and transmission of confidential and sensitive information, including personal information, digitally and through interconnected systems, including those of our vendors, service providers and other third parties on which we rely. Consequently, we maintain a formal information security program, including physical, technical and administrative safeguards, to prevent and mitigate the risks posed by cybersecurity threats and incidents and to identify, analyze, address, mitigate and remediate those incidents that do occur. As part of our program:
a.we regularly review and update at least annually our standard policies and procedures related to information technology and analyze those policies against the standards and controls that we believe are most relevant to our Company set by organizations such as the National Institute of Standards and Technology cybersecurity framework and the International Organization for Standardization ("ISO");
b.we maintain a dedicated cybersecurity team under the direction of our Chief Technology Officer ("CTO") and supported by our Chief Information Security Officer ("CISO"), each of whom has expertise related to data and network security, data governance and risk management;
c.we regularly test our internal IT controls;
d.we regularly conduct internal vulnerability assessments as well as third-party penetration tests;
e.we maintain, and we require our third-party service providers to maintain, security controls designed to ensure the confidentiality, integrity, and availability of our information systems and the confidential and sensitive information we maintain and process, or which is processed on our behalf;
f.we conduct pre-engagement and targeted recurring reviews of the security controls and security-compliance posture of applicable third-party service providers;
g.all employees are required to complete periodic trainings that cover security and privacy best practices and company policies;
h.we regularly review our business continuity and other back-up plans, including as they relate to cybersecurity incidents; and
i.we perform periodic simulations of attack scenarios by an internal “Red Team” to test the efficacy of both security controls and our tactical incident response procedures.
We also work with third-party cybersecurity and data privacy professionals as part of the design and implementation of our information security program, including our auditors, independent assessors (for example, for penetration testing) of our cybersecurity program, internal and external legal counsel, and other consultants.
We have a documented incident monitoring, escalation and reporting process and procedure that we believe to be effective in detecting and analyzing cyber incidents as they occur to determine appropriate response action and reporting, including the materiality of any such incidents to our financial condition and operations. This process includes:
a.continual monitoring of our systems and logs by both dedicated cybersecurity internal and outsourced staff;
b.immediate escalation to and review by our CISO of certain signals, including evidence of external threat actors, ransomware attacks, data exfiltration, identity compromise or unusual requests from management or certain departments;
c.if deemed appropriate, reporting by our CISO to the Company’s Management and its Disclosure Committee, comprised of multi-disciplinary senior leaders across the organization, including representatives of our accounting, human resources, finance, information technology and legal functions, and consultation with internal and external legal counsel, for further review and determination of the scope and materiality of the incident or incidents, including whether public disclosure is appropriate or required; and
d.informing the Audit Committee of our Board of significant or material cybersecurity incidents, as appropriate.
All incidents are documented and recorded and catalogued for further review by the CISO and their team. Incidents that are deemed to be significant and/or rise to the level of a “security breach” are documented in a security incident register as part of our established vulnerability monitoring and incident response procedures.
While we, our clients and our vendors are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this report. We have faced—and in the future may face—sophisticated attacks, including attacks referred to as advanced persistent threats, which are cyberattacks aimed at compromising our intellectual property and other commercially sensitive information, such as the source code and game assets for our software or confidential customer or employee information, which may remain undetected for prolonged periods of time. In September 2022, we experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from Rockstar Games’ systems, including early development footage for the next Grand Theft Auto. Subsequently, also in September 2022, an unauthorized third party illegally accessed credentials for a vendor platform that 2K Games uses to provide help desk support to its customers. The unauthorized party sent a communication to certain players containing a malicious link. 2K Games immediately notified all affected users and took steps to restrict further unauthorized activity until service was restored. In connection with this activity, we have incurred certain immaterial incremental one-time costs related to consultants, experts and data recovery efforts and we generally expect to incur additional costs related to cybersecurity protections in the future.
In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost client revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services, client dissatisfaction, reputational harm, and loss of investor confidence. See Item 1A, Risk Factors, for more information on the cybersecurity threats facing our Company.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our business operations depend on the availability, integrity and secure processing, storage, and transmission of confidential and sensitive information, including personal information, digitally and through interconnected systems, including those of our vendors, service providers and other third parties on which we rely. Consequently, we maintain a formal information security program, including physical, technical and administrative safeguards, to prevent and mitigate the risks posed by cybersecurity threats and incidents and to identify, analyze, address, mitigate and remediate those incidents that do occur.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including, through the Audit Committee, cybersecurity and information security risk management and controls. As part of its oversight function, the Board, directly and through its Audit Committee, oversees the Company’s risk assessment and risk management policies, including related to cybersecurity. At least quarterly (with respect to the Audit Committee) and annually (with respect to the Board), our CTO and CISO report to the Audit Committee or the Board, respectively, addressing a broad range of topics, including significant cybersecurity incidents that have occurred, if any, since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.
Our senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CTO and CISO have primary responsibility for managing our information security program and efforts, including with respect to cybersecurity. They work closely with key stakeholders, including internal committees such as our Cyber Steering Group, peer institutions, and industry groups, in order to manage cybersecurity and information security risk. Our internal audit team is responsible for testing and auditing our information-technology internal controls. In addition, leaders from our communications, finance, legal
and risk teams participate in incident response training, including tabletop exercises, designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency.We believe our information technology team to be well-qualified in this area. These qualifications include collective decades of professional experience in the field, in both private enterprise and government, and relevant training and certifications, such as Certified Information Systems Security Professional certification, ISO 27001 certification, and other technical cybersecurity certifications from ISC2, the SANs Institute and OffSec as well as recent participation in IT and cybersecurity programs organized by leading educational institutions with expertise in the field.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including, through the Audit Committee, cybersecurity and information security risk management and controls.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including, through the Audit Committee, cybersecurity and information security risk management and controls. As part of its oversight function, the Board, directly and through its Audit Committee, oversees the Company’s risk assessment and risk management policies, including related to cybersecurity. At least quarterly (with respect to the Audit Committee) and annually (with respect to the Board), our CTO and CISO report to the Audit Committee or the Board, respectively, addressing a broad range of topics, including significant cybersecurity incidents that have occurred, if any, since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.
|Cybersecurity Risk Role of Management [Text Block]
|
Our senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CTO and CISO have primary responsibility for managing our information security program and efforts, including with respect to cybersecurity. They work closely with key stakeholders, including internal committees such as our Cyber Steering Group, peer institutions, and industry groups, in order to manage cybersecurity and information security risk. Our internal audit team is responsible for testing and auditing our information-technology internal controls. In addition, leaders from our communications, finance, legaland risk teams participate in incident response training, including tabletop exercises, designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CTO and CISO have primary responsibility for managing our information security program and efforts, including with respect to cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|We believe our information technology team to be well-qualified in this area. These qualifications include collective decades of professional experience in the field, in both private enterprise and government, and relevant training and certifications, such as Certified Information Systems Security Professional certification, ISO 27001 certification, and other technical cybersecurity certifications from ISC2, the SANs Institute and OffSec as well as recent participation in IT and cybersecurity programs organized by leading educational institutions with expertise in the field.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Board actively oversees our risk management activities both directly and through its committees and considers various risk topics throughout the year, including, through the Audit Committee, cybersecurity and information security risk management and controls. As part of its oversight function, the Board, directly and through its Audit Committee, oversees the Company’s risk assessment and risk management policies, including related to cybersecurity. At least quarterly (with respect to the Audit Committee) and annually (with respect to the Board), our CTO and CISO report to the Audit Committee or the Board, respectively, addressing a broad range of topics, including significant cybersecurity incidents that have occurred, if any, since the last update, the status of projects and initiatives to update our cybersecurity policies and practices, and ongoing efforts to prevent, detect, and respond to internal and external critical threats.
Our senior management is responsible for assessing and managing the Company’s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. Our CTO and CISO have primary responsibility for managing our information security program and efforts, including with respect to cybersecurity. They work closely with key stakeholders, including internal committees such as our Cyber Steering Group, peer institutions, and industry groups, in order to manage cybersecurity and information security risk. Our internal audit team is responsible for testing and auditing our information-technology internal controls. In addition, leaders from our communications, finance, legaland risk teams participate in incident response training, including tabletop exercises, designed to enhance our ability to respond to cybersecurity incidents quickly, efficiently and with the appropriate degree of urgency.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef