ASHLAND INC. 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

ASHLAND INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 12:32:43 EST.

Filings

10-K filed on 2025-11-20

ASHLAND INC. filed a 10-K at 2025-11-20 12:32:43 EST
Accession Number: 0001193125-25-289248

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Ashland recognizes the importance of cybersecurity in safeguarding sensitive information and maintaining operational integrity . To that end, Ashland maintains an information security program as part of its overall Enterprise Risk Management ("ERM") program. The Company's information security program includes an incident response plan, which has been reviewed by third-party consultants and aligns with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework 2.0. The information security program, overseen by the Company's Vice President of Information Technology and Chief Information Officer, is designed to provide a framework for assessing, identifying, managing, mitigating and responding to cybersecurity threats and incidents and to facilitate cross-functional coordination within Ashland. Ashland's information security program also includes policies and processes that are designed to provide visibility and information about the identification, assessment, and management of critical risks and management's risk mitigation strategies. This includes the use of a 24/7 Security Operations Center as well as an in-house, dedicated threat hunting team. Additional safeguards also include employee training and awareness programs around phishing, malware, and other cybersecurity risks. In addition, the Company conducts periodic testing of software, hardware, defensive capabilities, and other information security systems and regularly engages consultants and other expert third parties to assist the Company in the identification and assessment of risks. Ashland maintains a similar risk-based approach to its third-party vendor management program including identifying and overseeing cybersecurity risks that such third parties may present . As part of this program, the Company, imposes additional scrutiny for vendors that may handle personally identifiable information data or trade secrets. As of the date of this Annual Report on Form 10-K, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect its business , results of operations or financial condition. However, despite the Company's best efforts, it cannot eliminate all risks from cybersecurity threats or provide assurances that undetected cybersecurity incidents have not occurred. See the "Risk Factors" in Item 1A of this Annual Report on Form 10-K for further information. Governance Ashland's information security program is led by the Company's Cyber Security Director who has more than 25 years of experience in information technology and 5 years of experience serving in a deputy chief information security officer role or top executive leader in cyber. Our Cyber Security Director is primarily responsible for integrating cybersecurity risk considerations into the Company's overall risk management strategy . In addition, other members of the Company's information security team also have significant experience in information security. As noted above, management of Ashland's cybersecurity risks is part of the Company's overall ERM program, which is overseen by the Board. The Board's Audit Committee has primary responsibility for the oversight of the Company's information and cybersecurity risks and the programs established to manage such risks. The Audit Committee fulfills this oversight responsibility through receiving regular (and as needed) reports and updates from the Company's Cyber Security Director and Ashland's Board also receives periodic reports updates from the Cyber Security Director and the Audit Committee regarding information and cybersecurity matters.

Company Information