CABOT CORP 10-K Cybersecurity GRC - 2025-11-24

Page last updated on November 24, 2025

CABOT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-24 10:25:40 EST.

Filings

10-K filed on 2025-11-24

CABOT CORP filed a 10-K at 2025-11-24 10:25:40 EST
Accession Number: 0001193125-25-292412

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As noted in Part I, Item IA, Risk Factors, Cabot recognizes that the threat of cybersecurity breaches may create significant risks for the Company. Accordingly, we have taken measures to protect Company data and the continuing operation of our information technology and communications systems. Our cybersecurity program includes information technology ("IT") policies and standards and an IT risk management program. Our cybersecurity risk management program leverages standards established by the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"), which provides guidance to organizations on how to identify, prevent, detect, respond and recover from cybersecurity threats. Further, cybersecurity risk is integrated into our enterprise risk management ("ERM") approach and is among the core enterprise risks that are subject to oversight by the Board, as described below, acting through the Audit Committee. We use several tools and controls designed to manage IT risk, including, but not limited to, controls for the management of privileged access, anti-malware tools, simulated email phishing attacks, and other email security tools intended to detect and prevent intrusions as well as monitor risks. All Cabot employees participate in monitored cyber security training and have access to formal IT policies that define and clarify expected behaviors with respect to IT resources in various areas. We have a Cyber Incident Response Plan, which establishes procedures to prepare for and respond to a variety of cyber incidents, and engage in response planning, simulations, trainings, tabletop exercises, and other efforts to prepare for any incidents should they occur. We periodically engage assessors, consultants, auditors, and other third parties to assess our cybersecurity programs, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. These assessments provide insight into areas of future improvement in risk mitigation and further program development. In addition, we rely on third parties for various business functions and oversee such third-party service providers by conducting vendor diligence upon onboarding as well as ongoing monitoring. Governance and Oversight Management Oversight in Cybersecurity Governance Cabot's Cyber Risk Steering Committee is responsible for review and oversight of the Company's cybersecurity programs and risk assessment as well as the strategic direction of the program to address evolving risks. Our Chief Digital Information Officer (the "CDIO") is the member of the Company's management principally responsible for overseeing the Company's cybersecurity risk 23 management programs in partnership with business and functional leaders across the Company as well as a managed security service provider that provides threat intelligence, global infrastructure monitoring and threat detection and response to cyber events. The CDIO has held various positions within Cabot's IT department over his 20-year tenure with the Company, and contributes technical expertise to the Company's management team. The CDIO leverages extensive industry, IT and cybersecurity expertise to make strategic and operations decisions for Cabot's information security program. The CDIO collaborates with Cabot's Management Executive Committee to manage cyber risk and enhance the cyber program and reports directly to a member of our Management Executive Committee who has executive responsibility for Digital matters. We have established a process to assess the nature, scope and timing of a cyber incident and, as appropriate, communicate the facts of an incident to management and the Board of Directors and, as appropriate, investors. In the event of a cybersecurity incident, the incident response team is responsible for notifying senior management in a timely manner, to the extent that the facts and circumstances of a particular incident warrant such notification. If it is determined that the event is material to the Company, the matter will be escalated to the Board. For material incidents, the Company will provide information regarding the nature and scope of the incident to investors in compliance with SEC regulations. Board of Directors Oversight in Cybersecurity Governance Cabot's Board of Directors oversees the Company's cybersecurity program primarily through its Audit Committee, which comprises independent directors. Company executives along with external and internal cybersecurity personnel update the Audit Committee at least quarterly on risks related to cybersecurity and the steps taken to monitor and control risk exposure. Additionally, the results of periodic assessments of the Company's cybersecurity programs, described above, are communicated to the Audit Committee upon completion. Relevant matters are also reviewed with the full Board on at least an annual basis. As of the date of this report, we have not experienced a cybersecurity incident that has resulted in a material effect on our business strategy, results of operations or financial condition. Despite our efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of the Company's or our third-party service providers' information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm; damage to our brand; lost sales; physical damage to facilities; physical harm to individuals; reduced demand; loss of intellectual property rights; significant costs; or the Company being subject to government investigations, litigation, fines or damages. For additional information, see Part I, Item 1A, "Risk Factors-Operational Risks-Information technology systems failures, data security breaches, cybersecurity attacks or network disruptions have harmed us in the past and could compromise our information, disrupt our operations and expose us to liability, which may adversely impact our operations." 24

Company Information