VALVOLINE INC 10-K Cybersecurity GRC - 2025-11-21

Page last updated on November 21, 2025

VALVOLINE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-21 17:27:25 EST.

Filings

10-K filed on 2025-11-21

VALVOLINE INC filed a 10-K at 2025-11-21 17:27:25 EST
Accession Number: 0001674910-25-000135

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Valvoline is committed to protecting information that is valuable to customers and critical to business operations from unauthorized access and disclosure by devoting significant resources to protecting information systems and data through investing in people, technology, and processes to protect data and systems against evolving cybersecurity threats. A cybersecurity program has been designed and implemented that is believed to reasonably manage risks from cybersecurity threats and enable the Company to prevent, monitor, identify, detect, investigate, respond to, mitigate, and report on threats and incidents. Cybersecurity governance Valvoline has adopted a cross-functional and multi-management level approach to assessing and managing risks arising from cybersecurity threats. The Audit Committee of the Board (the "Audit Committee") oversees the Company's enterprise risk management program. As part of this oversight, the Audit Committee has primary responsibility for overseeing risks related to cybersecurity, although the Board retains ultimate oversight over these risks. The Board of Directors reviews and discusses cybersecurity risks along with the Company's cybersecurity programs and strategy with management. The Board of Directors receives reports and presentations from the Senior Vice President and Chief Technology and Cybersecurity Officer ("CTO") Vice President of IT Operations & Platforms, and Senior Director of Information Security during bi-annual meetings, and as needed, on a range of topics including, but not limited to, the cybersecurity program and processes, information systems, business risk identification and mitigation strategies, strategic updates, operational matters, the evolving cybersecurity threat landscape, regulatory developments, and notable incidents or threats affecting the Company. The CTO, who serves as the Chief Information Security Officer ("CISO") for the Company, is the primary executive responsible for leading the Company's cybersecurity risk management program and has over 30 years of experience in various technology-related roles, including responsibilities related to managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. The Company's Computer Security Incident Response Team ("CSIRT") has primary responsibility for monitoring and enacting the incident response program and is led by the Senior Director of Information Security who reports to the CTO. The CSIRT receives direction and guidance from various departments including operations, information technology, communications, legal, and human resources while being responsible for maintaining and operating incident response capabilities at Valvoline by collecting, aggregating, and analyzing detected alerts and events from computer systems across the enterprise. Valvoline's CSIRT meets at least quarterly, and more frequently as appropriate, to review and discuss the Company's cybersecurity program. The CSIRT has the authority and system entitlements to confiscate, isolate, or disconnect equipment; investigate suspicious activity; monitor usage; and disable system access in the proper execution of their duties. The CSIRT is responsible for declaring an incident and initiating escalation to the Incident Response Team ("IRT"). The IRT is responsible for coordinating incident response activities across functions and is comprised of cross-functional and multi-management level personnel including, but not limited to, the Senior Director of Information Security, CSIRT Manager, Chief Legal Officer, Chief Audit Executive, Privacy & Compliance Counsel, Chief Technology Officer, Head of Global Insurance, Director of Corporate Communications, Chief Financial Officer, Chief Operating Officer, Chief Human Resource Officer, and Head of Physical Security. The IRT is also responsible for reporting incidents, following Valvoline's Information Security Incident Response Plan ("IRP"), in accordance with legal requirements, coordinating external communications, and setting information sharing restrictions. Other departments or individuals may be engaged according to the specific nature of the 26 incident and will operate at the direction of the IRT. Valvoline's Senior Director of Information Security is responsible for the implementation of, and amendments to, the IRP and supporting procedures. Risk management and strategy Valvoline has developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of its critical systems and information. This program, which is based on the National Institute of Standards and Technology ("NIST") Cybersecurity and Privacy Frameworks, is an integrated part of the company's overall enterprise risk management process. The program applies, where appropriate, to Valvoline's internal and external information systems, applications, networks, and operations. It includes ongoing activities such as scanning, testing, and assessments intended to identify and manage risks arising from cybersecurity threats. Management, including various functional teams, is responsible for assessing, identifying, and managing material risks from cybersecurity threats. Valvoline continually evaluates and updates its cybersecurity programs to align with regulatory requirements and industry best practices. This includes keeping company-wide training initiatives related to cybersecurity risks robust and up-to-date. Valvoline's Executive Information Security and Privacy Committee provides crucial oversight for cybersecurity risk management. On a monthly basis, the committee reviews key metrics, evaluates risk tolerance, and approves strategic direction to ensure the program aligns with the company's business objectives. The IRP was designed to comprehensively leverage capabilities throughout the Company and to provide a standardized framework for responding to cybersecurity incidents by coordinating an approach to investigate, contain, mitigate, fix vulnerabilities, determine legally required responses or notifications, and document cybersecurity incidents including reporting and escalating findings as appropriate. The CSIRT, being responsible for incident response, assembles the IRT and assigns responsibilities based on the circumstances of the information security incident. Valvoline employs a risk-based approach to secure access to networks, systems, and applications for business partners and vendors receiving access to the environments and data. Business partners and vendors with whom information is shared to conduct business are required to safeguard it by appropriate means, including elevated contractual commitments when appropriate. The Company provides cybersecurity training to team members during onboarding and regularly thereafter and deploy technologies to automate and enhance operational security capabilities. In addition, Valvoline also uses third-party managed security services to augment the cybersecurity team's capabilities. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including the business strategy, results of operations or financial condition, and management does not believe that such risks are reasonably likely to have such an effect over the long term. However, due to evolving cybersecurity threats, and despite security measures taken, it may not be possible to anticipate, prevent, and stop future cybersecurity incidents, including attacks on information systems and data or those of relevant business partners. Additional information on cybersecurity risks identified is discussed in Item 1A of Part I, "Risk Factors", which should be read in conjunction with this Item 1C. Cybersecurity.
Item 1C. Cybersecurity.

Company Information