|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Nov. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity Risk Management and Strategy
Our Chief Information Security Officer (“CISO”), supervised by our
Chief Technology Officer, and his Global Information Security
team (“GIS”) oversee our cybersecurity program and exercise
overall responsibility for the strategic vision and the design,
development and implementation of, and adherence to, the
program’s protocols. The comprehensive program includes
policies and procedures designed to protect our systems,
operations and the data entrusted to us from anticipated threats
or hazards. The program applies seven layers of controls:
governance, identification, protection, detection, response,
recovery and third-party vendor management. Our CISO reviews
the cybersecurity framework annually as well as on an event-
driven basis as necessary, and reviews the scope of
cybersecurity measures periodically, including to accommodate
changes in business practices that may implicate security-related
issues.
Protective measures include, where appropriate, physical and
digital access controls, software security and patch
management, identity verification, mobile device management,
data loss prevention solutions, employee cybersecurity
awareness communications and best practices training
programs, security baselines and tools to detect and report
anomalous activity, service provider risk assessments, network
monitoring of data usage, hardware and software, and data
erasure and media disposal, among others. Measures, policies
and standards are aligned with industry-leading frameworks,
such as those promulgated by the International Organization for
Standardization and the National Institute of Standards and
Technology (“NIST”).
We test our cybersecurity defenses regularly through automated
vulnerability scanning by GIS’s 24/7 Security Operations Group to
identify and remediate critical vulnerabilities. In addition, an
independent vendor conducts annual penetration tests to
validate our external security posture. For certain businesses, we
also conduct cyber incident tabletop exercises involving
hypothetical cybersecurity incidents to test our cyber incident
response processes. Tabletop exercises are conducted by our IT
Risk team in collaboration with outside service providers as
appropriate and members of senior management and Legal and
Compliance teams. Learnings from these tabletop exercises and
any events that we experience are reviewed, discussed, and
incorporated into our cybersecurity risk management processes
as appropriate.
In addition to our internal exercises to test aspects of our
cybersecurity program, we annually engage an independent third
party to assess the risks associated with our information
systems and information assets and the maturity of our cyber
security program. The independent third party assesses the
cybersecurity program against the Cyber Risk Institute Cyber
Profile, a financial sector-focused framework based on the NIST
Cybersecurity Framework, the results of which are reported to the
Board of Directors and inform our program.
We have a comprehensive cybersecurity incident response and
communication plan (the “IRP”), managed by the Security
Operations Group, which is designed to inform appropriate risk
management and business managers of non-routine suspected
or confirmed information security or cybersecurity events based
on the expected risk an event presents. As appropriate, a team
composed of individuals from several internal technical and
managerial functions may be formed to investigate and
remediate such an event and determine the extent of external
advisor support required, including from external counsel,
forensic investigators and law enforcement agencies. The IRP
and our internal data loss reporting procedure are reviewed at
least annually and more frequently as needed.
We maintain a cybersecurity risk management process to identify
and mitigate risks that impact the firm. Cybersecurity is assessed
by IT Risk and approved by the Chief Information Officer (“CIO”)
as a component of our annual, enterprise-wide Risk Control Self
Assessment (“RCSA”) managed by the Operational Risk Group.
The RCSA process is independently verified by the Internal Audit
Department. Additionally, our cybersecurity risk management
process includes reviewing risks discerned from time to time
from both internal events and from external events, alerts and
reports received from a broad variety of sources. Reports from
external sources are also reviewed to formulate risk mitigation
and remediation strategies. The CISO periodically discusses and
reviews cybersecurity risks and related mitigants with the CIO,
the Head of IT Risk and General Counsel and incorporates
relevant cybersecurity risk updates and metrics. We conduct
periodic risk assessments and adjust and enhance our
cybersecurity program in response to the evolving cybersecurity
landscape and to align with regulatory and industry standards.
We also employ a process designed to assess the cybersecurity
risks associated with the engagement of third-party vendors and
service providers. This assessment is conducted on the basis of,
among other factors, the types of products or services provided
and the extent and type of data accessed or processed by the
third party.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We maintain a cybersecurity risk management process to identify
and mitigate risks that impact the firm. Cybersecurity is assessed
by IT Risk and approved by the Chief Information Officer (“CIO”)
as a component of our annual, enterprise-wide Risk Control Self
Assessment (“RCSA”) managed by the Operational Risk Group.
The RCSA process is independently verified by the Internal Audit
Department. Additionally, our cybersecurity risk management
process includes reviewing risks discerned from time to time
from both internal events and from external events, alerts and
reports received from a broad variety of sources. Reports from
external sources are also reviewed to formulate risk mitigation
and remediation strategies. The CISO periodically discusses and
reviews cybersecurity risks and related mitigants with the CIO,
the Head of IT Risk and General Counsel and incorporates
relevant cybersecurity risk updates and metrics. We conduct
periodic risk assessments and adjust and enhance our
cybersecurity program in response to the evolving cybersecuritylandscape and to align with regulatory and industry standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity Governance
Our dedicated GIS team is led by the CISO, who reports to the
CIO. The CISO works closely with the CIO, Chief Financial Officer,
and the Chief Risk Officer’s (“CRO”) team and the Legal and
Compliance Departments to develop and advance our
cybersecurity strategy. The CISO has extensive experience in
cybersecurity and technology and is responsible for all aspects of
cybersecurity across our global businesses.
We conduct periodic cybersecurity risk assessments, including
assessments of third-party vendors. The CISO reviews the
cybersecurity framework annually as well as on an event-driven
basis as necessary, and reviews the scope of cybersecurity
measures periodically, including to accommodate changes in
business practices that may implicate security-related issues.
Our cybersecurity program is periodically assessed by the
Internal Audit Department. The results of these audits are
reported to the Audit Committee of the Board. Any resulting
findings and associated actions to address issues are tracked
and managed to completion. In addition, the IT Risk team
provides Key Risk Indicators (“KRIs”) monthly to the Operational
Risk Committee whose members include the CIO, CRO, Head of
Internal Audit and the CISO and their representatives. The
monthly presentation includes updates on key security incidents
and trending of cybersecurity KRIs.
Our Board is responsible for the general oversight of all matters
that affect us, including the myriad risks impacting us. The Board
fulfills its oversight role through the operations of its various
committees and receives periodic reports on its committees’
activities.
The Board’s Risk and Liquidity Oversight Committee oversees
Jefferies’ enterprise risk management. Oversight includes
annually reviewing and approving the risk management
framework and overarching risk appetite statements; reviewing
our technology, cybersecurity and privacy risk, legal and
regulatory risk, and reputational risk, among other major risk
exposures; reviewing the steps management has taken to
monitor and control such exposures; and reviewing our capital,
liquidity and funding against established risk methodologies. The
CISO keeps the Board informed about our security posture and
cybersecurity maturity program on a regular basis, providing
updates about the current threat landscape and related risks,cybersecurity events, significant incidents and new initiatives.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board’s Risk and Liquidity Oversight Committee oversees
Jefferies’ enterprise risk management. Oversight includes
annually reviewing and approving the risk management
framework and overarching risk appetite statements; reviewing
our technology, cybersecurity and privacy risk, legal and
regulatory risk, and reputational risk, among other major risk
exposures; reviewing the steps management has taken to
monitor and control such exposures; and reviewing our capital,
liquidity and funding against established risk methodologies. The
CISO keeps the Board informed about our security posture and
cybersecurity maturity program on a regular basis, providing
updates about the current threat landscape and related risks,cybersecurity events, significant incidents and new initiatives.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our cybersecurity program is periodically assessed by the Internal Audit Department.
|Cybersecurity Risk Role of Management [Text Block]
|the IT Risk team
provides Key Risk Indicators (“KRIs”) monthly to the Operational
Risk Committee whose members include the CIO, CRO, Head ofInternal Audit and the CISO and their representatives.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our cybersecurity program is periodically assessed by the
Internal Audit Department. The results of these audits are
reported to the Audit Committee of the Board. Any resulting
findings and associated actions to address issues are tracked
and managed to completion. In addition, the IT Risk team
provides Key Risk Indicators (“KRIs”) monthly to the Operational
Risk Committee whose members include the CIO, CRO, Head of
Internal Audit and the CISO and their representatives. The
monthly presentation includes updates on key security incidents
and trending of cybersecurity KRIs.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our dedicated GIS team is led by the CISO, who reports to the
CIO. The CISO works closely with the CIO, Chief Financial Officer,
and the Chief Risk Officer’s (“CRO”) team and the Legal and
Compliance Departments to develop and advance our
cybersecurity strategy. The CISO has extensive experience in
cybersecurity and technology and is responsible for all aspects ofcybersecurity across our global businesses.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The
CISO keeps the Board informed about our security posture and
cybersecurity maturity program on a regular basis, providing
updates about the current threat landscape and related risks,cybersecurity events, significant incidents and new initiatives.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef