Amcor plc 10-K Cybersecurity GRC - 2025-08-15

Page last updated on August 18, 2025

Amcor plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-15 16:21:59 EDT.

Filings

10-K filed on 2025-08-15

Amcor plc filed a 10-K at 2025-08-15 16:21:59 EDT
Accession Number: 0001748790-25-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. - Cybersecurity We engage in an annual enterprise-wide risk assessment process which includes an evaluation of cybersecurity risks. We recognize the critical importance of securing the information of the Company’s customers, vendors, and employees and maintaining the security of our systems and data and have developed a comprehensive cybersecurity incident response plan. Our recent merger with Berry presents an opportunity to enhance and unify our cybersecurity risk programs by integrating the strengths of both legacy cybersecurity organizations. As part of this integration, we are conducting a comprehensive cybersecurity risk assessment, harmonizing cybersecurity policies, processes, operations, and consolidating the cybersecurity functions into a single organization. Our integration efforts will concentrate on maintaining the continuous availability of our operations while aligning our organization’s risk management strategy. Governance While everyone at the Company plays a part in managing cybersecurity risks, oversight responsibility is shared by the Board of Directors, the Audit Committee, and management. The full Board of Directors receives an annual information technology report and an update from management, which includes an update on our cybersecurity efforts. The Board of Directors has delegated to the Audit Committee the review of the quarterly cybersecurity reports from management, which outline our cybersecurity risk management framework and include updates on our completed, on-going, and planned actions relating to cybersecurity risks. Our Chief Information Security Officer (“CISO”) has over 20 years of experience in cybersecurity, including serving in similar roles at other public companies. Our CISO leads a team that focuses on the Company’s cybersecurity, including primary responsibility for leading enterprise-wide information security strategy, processes, as well as assessing, identifying, and managing cybersecurity risks. The team is enhanced through ongoing interactions with third party experts to help protect the Company from the latest cybersecurity threats. In addition, we maintain a global cross functional cyber crisis team which is responsible for evaluating cybersecurity threats and overseeing compliance with regulatory security requirements. Our CISO reports to our Vice President of Information Technology who has 29 years of experience in Manufacturing and Financial Services and has been leading our IT function for 15 years. Our Vice President of Information Technology reports to our Chief Financial Officer. Our employees supporting our information security program have relevant educational and industry experience. Risk Management and Strategy We have implemented an extensive cybersecurity program that leverages the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our cybersecurity program is designed to assess, identify, and manage risks from cybersecurity threats while maintaining the confidentiality and availability of our information systems. We have also established and maintain a comprehensive Global Security Incident Response Plan designed to enable compliance with reporting standards and provide a robust response to global cybersecurity events. We perform periodic assessments to identify and assess cybersecurity risks, including through the utilization of third parties to assess our system vulnerabilities. We also regularly train employees on cybersecurity risks, including through monthly phishing simulations. We perform cybersecurity risk assessments of the third-party vendors we utilize and have processes to identify cybersecurity risks posed by using third-party systems . We also request our third-party vendors to promptly notify us of any actual or suspected breach that could impact our data or operations. Our global footprint exposes us to numerous and evolving cybersecurity risks that could have an adverse effect on our business, financial condition, and results of operations. To date, we have not experienced any significant impacts from cybersecurity threats. However, our safeguards may not always be able to prevent a cyber-attack from impacting our systems or successfully execute our business recovery protocol, which could have a material impact on our business, financial condition, results of operations, or cash flows. Refer to the risk factor captioned “Cybersecurity Risk - The disruption of our operations or risk of loss of our sensitive business information could negatively impact our financial condition and results of operations” in “Item 1A. - Risk Factors” of this Annual Report on Form 10-K for additional narrative on our cybersecurity risks and the potential related impacts to us. 27

Company Information