Air Products & Chemicals, Inc. 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

Air Products & Chemicals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 10:20:44 EST.

Filings

10-K filed on 2025-11-20

Air Products & Chemicals, Inc. filed a 10-K at 2025-11-20 10:20:44 EST
Accession Number: 0000002969-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and oversight are of utmost importance to Air Products and are necessary to maintain the trust and confidence of our customers, employees, and other stakeholders. The Company has implemented a thorough cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats as a fully integrated component of the Company's overall Enterprise Risk Management ("ERM") process. In fiscal year 2025, we achieved our primary cybersecurity risk management objective of having no material cybersecurity incidents. Over the past three years, we have not experienced any material information security breaches and have not incurred material expenses from cybersecurity incidents , including those arising at third parties. Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is designed as a holistic program focused on predicting, preventing, detecting, and responding to cybersecurity threats across enterprise systems as well as the operational technology systems for our plants and pipelines. This program involves relevant employees as well as third-party subject matter experts who collaborate to identify and proactively address risks. The Company regularly assesses industry best practices, frameworks, and standards, and leverages them to advance its cybersecurity risk management maturity. These frameworks include the International Society of Automation and the International Electrotechnical Commission standards for industrial automation (ISA 62443) and information security (ISO 27001), as well as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Our cybersecurity program includes risk-based procedures for the detection, analysis, and mitigation of cybersecurity incidents. Our cybersecurity incident response includes criteria for prioritization and escalation based on severity under an established incident prioritization framework. Incidents are reported internally to senior management, the Board or the Board's Audit and Finance Committee, as appropriate based on this framework. Incidents that are elevated based on their potential severity, including any event that is potentially material, are promptly escalated and analyzed for potential external reporting requirements. As part of the Company's information security training program, all employees participate in various cybersecurity awareness activities, including an annual Information Security Awareness training module and monthly simulated email phishing events. In addition to our internal resources, we leverage third-party service partners to expand the capabilities of our cybersecurity program. This may include testing the program's protection measures as well as services for incident detection, investigation, and recovery. We also leverage third-party service providers to conduct tabletop exercises and perform assessments against cybersecurity frameworks. In fiscal year 2025, Air Products conducted a comprehensive internal audit of its cybersecurity program to evaluate the effectiveness of controls across enterprise information technology, operational technology, and pipeline environments. Our suppliers and third-party service providers are subject to cybersecurity obligations. Prior to engagement, we assess the cybersecurity posture of third-party service providers who store, process, or transmit Air Products' information. In many cases, our agreements include requirements for suppliers and other service providers to notify us if they suffer a cybersecurity incident that may affect us. The Company maintains policies and procedures for preventive controls for enterprise applications including, but not limited to, access controls and change management. In addition, we maintain relevant business continuity and disaster recovery plans as part of our overall cybersecurity risk management strategy. For a discussion of risks related to potential cybersecurity incidents, please refer to Item 1A, Risk Factors - Risks Related to Our Business - Risks related to the approval, execution, and operation of our projects, particularly with respect to our largest projects, may adversely affect our operations or results of operations , of this Annual Report on Form 10-K. Cybersecurity Governance Our Board of Directors recognizes the importance of cybersecurity and has oversight responsibility for cybersecurity risks. The Board of Directors receives updates on our cybersecurity program at least quarterly from our Chief Information Officer ("CIO") and Chief Information Security Officer ("CISO") . In addition, the Board's Audit and Finance Committee, which is composed entirely of independent directors, receives quarterly reports regarding our ERM program and top risks, including those relating to cybersecurity. Our CIO is a member of the Company's senior executive leadership team and is responsible for the administration of the cybersecurity risk management program. Prior to joining the company in 2020, our CIO spent 24 years in the aerospace and defense industry and held multiple senior leadership roles within digital technology, leading large global organizations in all aspects of digital technology, including cybersecurity risk management. Under the direction of our CIO, our CISO oversees the development and implementation of our enterprise-wide cybersecurity risk management program, ensuring the protection of both enterprise and operational technology systems. Our CISO joined the Company in 2025 with an extensive background in cybersecurity strategy, governance, risk, compliance, and data protection. Prior to joining Air Products, our CISO spent over 25 years in executive security and operations management across the industrial manufacturing, software, and financial services industries. Our CISO maintains professional certifications in cybersecurity and information management, including as a Certified Chief Information Security Officer, Certified Information Systems Security Professional, and Certified Information Systems Manager. The Information Security leadership team that reports to the CISO is composed of four security leaders with over 80 years of combined experience and multiple professional certifications.

Company Information