Hewlett Packard Enterprise Co 10-K Cybersecurity GRC - 2025-12-18

Page last updated on December 18, 2025

Hewlett Packard Enterprise Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-12-18 08:23:22 EST.

Filings

10-K filed on 2025-12-18

Hewlett Packard Enterprise Co filed a 10-K at 2025-12-18 08:23:22 EST
Accession Number: 0001645590-25-000130

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity. Risk Management and Strategy Our Cybersecurity and Digital Risk Management ("CDRM") organization, under the leadership of a Global Chief Information Security Officer ("Global CISO"), operates a cybersecurity program that is designed to help us identify, assess, manage, and mitigate risks relating to cybersecurity threats and incidents. We design our cybersecurity standards, policies, processes and controls to operate in an integrated manner, leveraging applicable industry standards and security frameworks, including the NIST Cybersecurity Framework, as guidance in supporting our ability to perform such functions. CDRM manages our cybersecurity program, including by fostering collaboration with partners across business units and global functions to identify and assess material cybersecurity threats, evaluate their severity, and establish actions to mitigate and manage such risks. Business units and global functions are responsible for addressing risks and implementing our policies and standards within the respective business unit or function. Compliance with our policies and standards is assessed by our internal audit organization, through periodic cybersecurity audits. The results of these audits, together with our learnings from internal and external threats, drive periodic reassessment of and structured updates to our cybersecurity framework, as deemed necessary or appropriate. As part of our cybersecurity program, we also evaluate data collected from our attack surface management tools using a framework that quantifies the likelihood and severity of risks to produce a prioritized set of vulnerabilities for remediation. We also require mandatory cybersecurity training for employees and periodically conduct Company-wide phishing simulations. To aide in assessing material risks from cybersecurity threats, our enterprise risk management ("ERM") program incorporates cybersecurity risks as part of its process to assess overall risk of the Company. The ERM organization supports management by facilitating a semi-annual risk assessment, which documents the priority and status of these risks and aligns them with our strategic mitigation efforts. ERM is structured using a framework based on guidance from the Committee of Sponsoring Organizations of the Treadway Commission on Enterprise Risk Management Integrating Strategy with Performance. Within CDRM, our Cybersecurity Defense Center ("CDC") has established policies, processes, and controls that are designed to monitor, detect, investigate, respond to, and escalate management of cybersecurity threats and incidents. If we experience a cybersecurity incident, the CDC activates our incident response plan, which includes processes to enable us to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with applicable legal obligations and mitigate brand and reputational harm. Additionally, we have established a Cyber Crisis Management Team, which is responsible for addressing and responding to the most severe cyber incidents. If warranted, senior management notifies the Audit Committee and/or the full Board of Directors, as appropriate. Throughout this process, the CDC continues to investigate the incident and, as its understanding of the incident evolves, updates its severity assessment, as necessary. We engage third-party security experts, assessors, and consultants, as appropriate, to assess our cybersecurity risk management processes; support our ongoing certification efforts; help identify areas for continued focus, improvement, and compliance; and support incident response functions, to the extent necessary, all of which support our cybersecurity program. From time to time, we conduct third-party-administered, as well as internally administered, tabletop exercises that simulate cybersecurity threats, to assess our existing cybersecurity infrastructure and incident response processes. We also periodically conduct offensive security assessments and vulnerability tests, and continuously monitor our computing environments to gain visibility into our security posture and detect vulnerabilities, abnormalities, or signs of compromise. In addition to monitoring risks from threats to our own assets, we apply third-party risk management practices that endeavor to help identify and manage supply chain and vendor risk arising from our critical suppliers and other service provider organizations. We do so in a variety of ways, such as gathering information on third parties' cybersecurity programs and controls, performing due diligence, undertaking cybersecurity reviews and/or audits, and/or mandating certain contractual requirements, such as notification of cybersecurity incidents and return or destruction of all HPE data upon termination of the relationship. Governance Our Global CISO, who reports to our Chief Operating and Legal Officer ("COLO") , has principal management-level responsibility for our cybersecurity program, which includes assessing and managing our cybersecurity risks, along with developing and implementing cybersecurity processes, policies, and controls that are used for managing cybersecurity risk across the Company. Our Global CISO joined HPE in January 2025, and previously held relevant leadership positions at other 41 Table of Content public and private companies. He brings over two decades of technology experience spanning information and cyber security, including serving as CISO at other large companies. Our Global CISO is supported by a leadership team managing Cyber Defense; Governance, Risk, and Compliance; Security Strategy; Cybersecurity Architecture and Engineering; and Identity and Access Management, all of whom have extensive experience in private sector cybersecurity roles. Supporting these leaders is a team of cybersecurity professionals with relevant educational and industry experience. The Global CISO periodically meets with the Cyber Governance and Incident Disclosure Committee, our enterprise risk management function, and chief-level executives, as well as the Audit Committee of our Board of Directors, to discuss cybersecurity risks, as well as related mitigation and remediation activities. The CDC monitors the detection, investigation, mitigation, response to, and remediation of cybersecurity incidents, and regularly reports to our Global CISO, engaging with the Executive Committee and the Cyber Crisis Management Team, as appropriate. Our Board of Directors is responsible for overseeing cybersecurity risk, primarily through the Audit Committee. Cybersecurity reviews by the Audit Committee and the Board of Directors are scheduled to occur at least quarterly and annually, respectively, or more frequently, as deemed necessary or advisable. Such presentations to the Audit Committee and Board of Directors, as applicable, are made by our COLO and Global CISO, utilizing performance metrics established by CDRM and reported through the ERM framework, and address topics such as cybersecurity threats, incidents, risks, results from internal and third-party assessments, progress towards risk-mitigation goals, the functioning of our incident response program, and regulatory developments. At times, the Audit Committee may receive additional cybersecurity risk reviews from other members of management and/or internal cybersecurity experts on certain of our key business segments and products. The Audit Committee regularly reports to our Board of Directors regarding the committee's oversight of such cybersecurity matters. Additionally, the COLO and Global CISO may provide ad hoc updates to the Board of Directors and/or the Audit Committee if necessitated by a security incident or other significant developments. HPE, like all organizations operating in the technology landscape, faces significant and persistent cybersecurity risks, which influence business strategy and operations. To date, no risks from cybersecurity threats, including as a result of any previous cybersecurity incident, have materially affected us, including our business strategy, results of operations, or financial condition. Notwithstanding our cybersecurity program, we may not be successful in identifying a cybersecurity risk or preventing or mitigating a cybersecurity incident or vulnerability, which if realized, could reasonably likely materially affect us. Additional information on the cybersecurity risks we face can be found in the section titled "Risk Factors" in Item 1A of Part I of this Annual Report on Form 10-K.

Company Information