GREENBRIER COMPANIES INC 10-K Cybersecurity GRC - 2025-10-28

Page last updated on October 29, 2025

GREENBRIER COMPANIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-10-28 16:31:42 EDT.

Filings

10-K filed on 2025-10-28

GREENBRIER COMPANIES INC filed a 10-K at 2025-10-28 16:31:42 EDT
Accession Number: 0001193125-25-253612

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity represents an important component of our overall approach to risk management. Our information security risk management (ISRM) policies, standards and practices are integrated into our overall enterprise risk management approach, and cybersecurity risks are one of the business risks that are subject to oversight by our Board of Directors. Our ISRM policies, standards and practices align with National Institute of Standards (NIST) and Technology Cybersecurity Framework and International Organization for Standardization (ISO) 27001. Risk Management and Strategy Our cybersecurity program focuses on the following areas: - Vigilance - We maintain cybersecurity threat operations with the goal of proactively identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established cybersecurity incident response procedure plan. We recognize that the sophistication of cyber-threats will continue to evolve as threat actors increase their use of artificial intelligence technologies. - Systems Safeguards - We implement layered systems safeguards to enable the protection of our information systems from cybersecurity threats. These safeguards include network security, vulnerability management, and threat detection. - Collaboration - We utilize collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers , to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management - We actively manage cybersecurity risks posed by third parties and their systems that could impact our operations. We monitor and assess the security posture of our third-party vendors. We require third-party service providers with access to sensitive information to maintain cybersecurity practices aligned with industry standards and applicable laws. In addition, we proactively monitor public information regarding our vendors for security incidents, investigate potential impacts, and take appropriate action to mitigate risk. - Training - We have implemented and maintain a comprehensive cybersecurity training program to educate personnel about evolving threats and reinforce security best practices. This program includes: i. Monthly phishing awareness campaigns with mandatory remedial training for those who fail. ii. Annual security and acceptable use awareness training. iii. Targeted training for high-risk groups such as finance and accounting, including phishing email response checks, to proactively mitigate threats like business email compromise. - Incident Response and Recovery Planning - We have established and maintain a cybersecurity incident response procedure plan that addresses our response to cybersecurity incidents and recovery from such incidents, and such plan is tested and evaluated periodically. - Communication, Coordination and Disclosure - We utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, risk management and other key business functions, as well as the members of the Audit Committee of the Board of Directors, in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by 28 management in a timely manner. We have established an Incident Response Committee, which is chaired by our SVP Administration, to quickly organize and execute an effective, productive, timely and compliance-conscious response to cybersecurity threats and incidents, as well as coordinate among the cross-functional groups. We manage risks from cybersecurity threats through the assessment and testing of our processes and practices focused on evaluating the effectiveness of our cybersecurity measures. We engage third parties as appropriate to perform assessments of our cybersecurity measures. The results of such assessments and reviews are reported to the Audit Committee and the Board of Directors , and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. We maintain cyber risk and related insurance policies as a measure of added protection. Governance The Board of Directors, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that management implements to address risks from cybersecurity threats. The Audit Committee reviews cybersecurity on a quarterly basis. The Board of Directors and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to our peers. The Board of Directors and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. On a regular basis, the Board of Directors and the Audit Committee discuss our approach to cybersecurity risk management with the Chief Information Security Officer ( CISO) and other cyber team members, as well as senior leadership. The CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company . The CISO has decades of experience in the cybersecurity and information security fields, including experience with both private and public companies and the military, as well as experience in the transportation and rail industry. The CISO is a Boardroom Certified Qualified Technology Expert (QTE) and holds certifications including Certified Chief Information Security Officer (C|CISO), Certified Internal Auditor (BSI) and is a graduate of the Wounded Warrior Cyber Combat Academy. The CISO has experience with regulatory compliance frameworks including ISO 27001, SOX, NIST and CMMC. The CISO works in coordination with senior leadership, which includes our Chief Executive Officer, Chief Financial Officer, Chief Information Officer and Chief Legal & Compliance Officer across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our cybersecurity incident response procedure plan. To date, we have not experienced any risks from cybersecurity threats or incidents that have materially affected us or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. 29

Company Information