Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | McGraw Hill is committed to maintaining a robust cybersecurity program to protect our digital platforms and the systems and data that support our products and operations, including customer data. We continuously monitor the cybersecurity landscape and adapt our strategy and governance practices to address evolving threats. Our cybersecurity program is aligned to the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) and informed by System and Organization Controls (“SOC 2 Type 2”) criteria. This program is designed to support a continuous process for identifying, assessing, and managing cybersecurity risks across our systems, products, and third-party relationships. We maintain a cybersecurity risk management program that incorporates a layered, defense-in-depth approach and includes processes for detecting, responding to, and mitigating cybersecurity threats and incidents. We engage independent third-party experts to support the evaluation and ongoing improvement of our cybersecurity program, and we require employees and contractors to complete cybersecurity training and policy attestations on a regular basis. As part of the Program: •Framework-aligned controls: We maintain a structured set of policies, standards, and operational procedures that define security expectations and enable consistent control implementation across our systems and digital products. These are regularly reviewed and updated to address emerging risks and changes in the business. •Dedicated cybersecurity operations: We operate a dedicated cybersecurity function led by our Chief Information Security Officer (“CISO”). The function includes a dedicated Security Operations Center (“SOC”) that provides 24/7 continuous monitoring capabilities, to detect, investigate, and respond to potential threats and security events across our environment. •Security testing and continuous monitoring: We employ a combination of automated and manual processes, including continuous vulnerability scanning, annual penetration testing, a public Vulnerability Disclosure Program, and internal and external monitoring. Identified vulnerabilities are prioritized and remediated based on risk and severity. •Incident response and escalation: We maintain a formal incident response program designed to identify, assess, and respond to cybersecurity incidents. Incidents are evaluated based on severity and potential business impact, with escalation to senior leadership and coordination across relevant functions as appropriate. •Third-party risk management: We assess and manage cybersecurity risks associated with third-party service providers through due diligence, contractual requirements, and ongoing monitoring. •Resilience and business continuity: We maintain disaster recovery and business continuity capabilities designed to support the availability of critical systems and services and test these capabilities periodically. While we maintain a comprehensive and continuously evolving cybersecurity program, cyber threats are becoming increasingly sophisticated, and no system or set of controls can provide absolute assurance against all risks. We have in the past experienced cybersecurity threats, including previous cybersecurity incidents. However, no such incident has materially affected, or is reasonably likely to materially affect, our business strategy, results of operations or financial condition. See Item 1A, “Risk Factors”, for more information on the cybersecurity threats facing our Company.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Framework-aligned controls: We maintain a structured set of policies, standards, and operational procedures that define security expectations and enable consistent control implementation across our systems and digital products. These are regularly reviewed and updated to address emerging risks and changes in the business. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Board of directors-level oversight: The Audit Committee receives quarterly updates on cybersecurity risks, program maturity, and security incidents, supporting active oversight of the Company’s cybersecurity posture. The Audit Committee subsequently reports its findings to the board of directors. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Board of directors-level oversight: The Audit Committee receives quarterly updates on cybersecurity risks, program maturity, and security incidents, supporting active oversight of the Company’s cybersecurity posture. The Audit Committee subsequently reports its findings to the board of directors. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Board of directors-level oversight: The Audit Committee receives quarterly updates on cybersecurity risks, program maturity, and security incidents, supporting active oversight of the Company’s cybersecurity posture. The Audit Committee subsequently reports its findings to the board of directors. |
| Cybersecurity Risk Role of Management [Text Block] | Management oversight: The CISO is responsible for leading the cybersecurity program, including strategy, risk management, control implementation, and incident response. The CISO reports to our Chief Digital and Information Officer (“CDIO”) and works closely with technology leadership and cross-functional stakeholders, including our Legal, Risk & Compliance, and Engineering teams, to manage cybersecurity risks across the organization. The CDIO, who reports to the Chief Executive Officer (the “CEO”), has over 30 years of experience in technology leadership across multiple industries. The CISO has more than 10 years of experience in cybersecurity and IT governance, with deep expertise in designing and operating enterprise security programs, and holds a Certified Information Systems Security Professional (CISSP) certification. •Incident governance and escalation: Cybersecurity incidents are managed through defined processes, with escalation to senior leadership based on incident severity and potential business impact, as appropriate. Significant incidents are communicated to executive leadership and, where appropriate, the Audit Committee of our board of directors. •Performance monitoring and reporting: Key cybersecurity metrics, including incident response performance, vulnerability management, and third-party risk assessments, are published monthly and shared with technology leadership, and cross-functional stakeholders including our Legal, Risk Management, and Internal Audit teams, to support informed decision-making and continuous improvement.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The CISO is responsible for leading the cybersecurity program, including strategy, risk management, control implementation, and incident response. The CISO reports to our Chief Digital and Information Officer (“CDIO”) and works closely with technology leadership and cross-functional stakeholders, including our Legal, Risk & Compliance, and Engineering teams, to manage cybersecurity risks across the organization. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The CDIO, who reports to the Chief Executive Officer (the “CEO”), has over 30 years of experience in technology leadership across multiple industries. The CISO has more than 10 years of experience in cybersecurity and IT governance, with deep expertise in designing and operating enterprise security programs, and holds a Certified Information Systems Security Professional (CISSP) certification. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Incident governance and escalation: Cybersecurity incidents are managed through defined processes, with escalation to senior leadership based on incident severity and potential business impact, as appropriate. Significant incidents are communicated to executive leadership and, where appropriate, the Audit Committee of our board of directors. •Performance monitoring and reporting: Key cybersecurity metrics, including incident response performance, vulnerability management, and third-party risk assessments, are published monthly and shared with technology leadership, and cross-functional stakeholders including our Legal, Risk Management, and Internal Audit teams, to support informed decision-making and continuous improvement. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |