GOODYEAR TIRE & RUBBER CO /OH/ 10-K Cybersecurity GRC - 2026-02-10

Page last updated on February 10, 2026

GOODYEAR TIRE & RUBBER CO /OH/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-10 11:33:00 EST.

Filings

10-K filed on 2026-02-10

GOODYEAR TIRE & RUBBER CO /OH/ filed a 10-K at 2026-02-10 11:33:00 EST
Accession Number: 0001628280-26-006708

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy We recognize the importance of cybersecurity risk management, strategy and governance, and we have implemented policies and procedures reasonably designed to manage and reduce cybersecurity risk as part of our overall risk management program. Our global information technology organization, led by our Senior Vice President and Chief Information Officer ("CIO") , is responsible for enterprise-wide information technology, including our overall information security strategy, policies, operations, and threat detection and response. The global information technology organization manages and maintains the cybersecurity program with the goal of preventing, detecting and remediating incidents, and works to increase our system resilience to minimize the business impact should an incident occur. Our cybersecurity program is informed by multiple, overlapping cybersecurity frameworks. These include the National Institute of Standards and Technology Cyber Security Framework (NIST-CSF) and Trusted Information Security Assessment Exchange (TISAX). Our cybersecurity program has achieved TISAX certification, or "labeling", for its demonstrated ability to identify, protect, detect, respond and recover from cyber risks. The "labeling" process requires independent, third-party auditors to test and confirm the controls we have implemented. Key elements of the program include formal information management policies; employee training and awareness; phishing resiliency campaigns; periodic risk assessments; penetration tests; tabletop exercises; and incident response testing and reviews. We also engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, cybersecurity maturity assessments or consulting on best practices to address current and new challenges. These evaluations include testing both the design and operational effectiveness of our security controls. We recognize a cybersecurity incident experienced by a supplier or joint venture partner could materially impact us. We assess third-party cybersecurity controls as part of our third-party IT risk due diligence and engage in cybersecurity consultant-led solution design reviews when integrating new tools or third parties. We contractually require third parties to meet specified baseline customary standards of information security and report cybersecurity incidents to us so we can assess the impact of the incident and any necessary regulatory reporting obligations that may be required. Depending on what events may occur, our cybersecurity incident response team is always ready and supported by a 24/7/365 industry leading security operations center. These teams balance following existing protocols with agile response to novel threats. We escalate potentially significant incidents to the Cybersecurity Disclosure Committee and the Audit Committee of the Board of Directors, as outlined in Goodyear's policies and support documents. Our Cybersecurity Disclosure Committee is comprised of senior leadership across multiple functional areas and is responsible for reviewing and evaluating potentially significant cybersecurity incidents and for determining whether any notification or disclosure is required under applicable laws, including federal securities laws. For the year ended December 31, 2025, we did not identify any cybersecurity threats that have materially impacted Goodyear's operations or financial position. Notwithstanding our risk management efforts related to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material or other adverse effect on us in the future. See Item 1A. "Risk Factors" for a discussion of our information technology and cybersecurity risks. Governance The Audit Committee of the Board of Directors is responsible for overseeing the risks associated with information technology and cybersecurity threats, and reports on its activities to the full Board following each committee meeting. Management is responsible for identifying, monitoring and mitigating the material risks facing the Company, including cybersecurity risks. The Audit Committee exercises its risk oversight function by carefully evaluating information and cybersecurity reports they receive from management; assessing the priorities and roadmap of the cybersecurity program; and making inquiries of management with respect to areas of particular interest to the Board. Senior leadership, including our CIO and our Senior Director, Global IT Risk & Security, periodically briefs the Audit Committee on our cybersecurity and information security programs and reviews relevant cybersecurity incidents. Our current CIO has more than two decades of experience in the manufacturing industry and has held multiple executive technology leadership roles at several companies in North America and Asia.

Company Information