PHIBRO ANIMAL HEALTH CORP 10-K Cybersecurity GRC - 2025-08-27

Page last updated on August 27, 2025

PHIBRO ANIMAL HEALTH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-27 16:36:27 EDT.

Filings

10-K filed on 2025-08-27

PHIBRO ANIMAL HEALTH CORP filed a 10-K at 2025-08-27 16:36:27 EDT
Accession Number: 0001558370-25-011776

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As a leading global, diversified animal health and mineral nutrition company, we are increasingly reliant on information technology systems and infrastructure to support critical operations and manage our business effectively. These systems process, transmit, and store electronic information, including customer, employee, and company data. This reliance exposes us to data security breaches and cybersecurity attacks. For more information on these risks, see “Item 1A. Risk Factors - Risk Factors Relating to Our Business - We may be subject to information technology system failures, network disruptions, and breaches in data security.” Although the aggregate impact on our operations and financial condition has not been material to date, the Company has been the target of cybersecurity attacks and anticipates continued attempts as threats become more sophisticated and frequent. Future incidents may have a material effect on our business. Our information security program is led by the Director of IT Cybersecurity and Compliance, who reports directly to the Chief Information Officer (the “CIO”) . The program is aligned with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Israel National Cyber Directorate. We are also members of the New Jersey Cybersecurity and Communications Integration Cell, which enhances our industry awareness and proactive response capabilities by facilitating information sharing, identifying attack profiles, and promoting continuous improvement. We employ a range of tools and practices to assess, monitor, and mitigate cybersecurity risks. These practices extend to third-party service providers who have access to our systems and data. At least every two years, we engage an independent third party to conduct penetration testing and risk assessments of our cybersecurity posture. Over the past year, we have made significant progress in strengthening our cyber defense capabilities. Our Security Operations Center and Managed Detection and Response services continue to evolve and improve daily. This progress is driven by real-time incident response, continuous team development, and the incorporation of lessons learned from both internal experiences and external industry intelligence. To complement these efforts, we have implemented an advanced cyber threat intelligence process that enhances our ability to detect threat actors, anticipate emerging risks, and align our detection and prevention strategies with global threat trends. We also maintain a robust user education and awareness program, structured around an annual plan. Key elements include: ● Monthly cybersecurity training for all users; ● Bi-weekly phishing simulations; and ● A monthly interactive cyber awareness magazine. The rapid emergence of AI technologies has had a notable impact on our operational and strategic environment. These technologies quickly entered our ecosystem, and we responded by implementing necessary user awareness programs and governance mechanisms. Responsible adoption of AI technologies remains a key focus area. Our efforts encompass raising organizational awareness, deploying suitable monitoring tools, and fostering innovation while ensuring compliance with privacy regulations and industry standards. Our program continues to evolve to ensure the safe, ethical, and compliant use of AI across the enterprise. In parallel, we are enhancing our third-party cybersecurity and regulatory risk management framework. This includes a structured process for evaluating and monitoring external entities using standardized risk questionnaires, internal knowledge repositories, and validation procedures. These mechanisms are applied both prior to onboarding new suppliers, service providers, or technologies, and as part of periodic reviews of existing third-party relationships. This proactive approach allows us to: ● Identify security and compliance gaps early in the vendor lifecycle; ● Prioritize suppliers based on their risk profile and level of exposure; and ● Ensure that third-party engagements align with our corporate, regulatory, and contractual obligations. Together, these measures strengthen our organizational cyber resilience, regulatory preparedness, and long-term operational integrity. In the event of a cybersecurity or data privacy incident, our triage team evaluates the probable frequency and magnitude of potential loss. Incidents are categorized by severity and escalated to the CIO, Chief Executive Officer, and the Senior Vice President, General Counsel, and Corporate Secretary (“Legal Counsel”), who determine any additional communication or disclosure requirements. The Board of Directors is notified of high-severity incidents. Each incident is followed by a formal investigation, root cause analysis, and remediation plan. Additionally, our cyber insurance program is reviewed regularly to ensure adequate coverage in support of our layered protection model. Governance Our CIO manages our information technology systems. He has over 45 years of experience in digital systems and technology in the animal health, bio-tech pharmaceutical, pharmaceutical, and oil and gas industries. He has held multiple leadership roles driving business value for investments in digital solutions. He also spent six years as a leader within internal auditing, providing experience and wisdom in business-driven risk management. The CIO provides periodic reports to the Board of Directors, the executive management team, and our Legal Counsel. These reports include updates on our cybersecurity risks and threats, assessments of our information security program, and any changes in the threat landscape. Our information technology systems are regularly evaluated by internal and external consultants, with the results of the review reported to the executive management team and the Board of Directors.

Company Information