HEXCEL CORP /DE/ 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

HEXCEL CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 15:16:05 EST.

Filings

10-K filed on 2026-02-11

HEXCEL CORP /DE/ filed a 10-K at 2026-02-11 15:16:05 EST
Accession Number: 0001193125-26-046377

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity At Hexcel, we are committed to the security of our products and services, the protection of employee, customer and Company data, and the safeguarding of our manufacturing capability. Our cybersecurity program is led by our Chief Information Officer ("CIO"), who has over 20 years of experience in information technology leadership and 10 years of experience directly overseeing our information security program and holds a Master of Business Administration in technology management . As a part of our cybersecurity program, we have engaged , and in the future may continue to engage, third-party consultants and advisors , including a third-party consultant with extensive experience designing, leading, and maintaining the implementation and assurance frameworks for organizational information, to provide virtual chief information security officer services, including establishing a security architecture, policies, practices, and response capabilities . Our CIO regularly updates senior management on our cybersecurity risk governance and management and the status of ongoing efforts to strengthen cybersecurity effectiveness. Our board of directors views cybersecurity as a strategic priority and therefore shares oversight of management's actions in implementing our overall cybersecurity program, the audit committee of the board of directors. Our CIO reports directly to our board of directors at least twice annually to ensure continued alignment with evolving threats and governance standards. The audit committee of the board of directors also periodically reviews the cybersecurity program as part of its oversight of information technology and cybersecurity risk. As part of our cybersecurity program, we maintain various protections designed to safeguard against cyberattacks, including firewalls, anti-malware, intrusion prevention and detection systems, access controls and other encryption configurations and cybertechnologies, and continuously monitor and audit our information technology and data assets to detect any anomalies and to respond quickly to threats that may arise. We periodically conduct intrusion and penetration testing through third parties to evaluate our cybersecurity response capability . We also regularly conduct employee awareness training on email management (phishing), safe internet browsing, malware, and other cybersecurity risks and routinely communicate with employees about the potential for cybersecurity threats, including the latest adversary trends and social engineering techniques, and how to avoid them through our established communications channels. We have adopted and implemented an approach to identify and mitigate cybersecurity risks within our overall enterprise risk management program that is based on a recognized framework established by the National Institute of Standards and Technology . Additionally, we maintain externally validated Cybersecurity Maturity Model Certification (CMMC) Level 2 certification in compliance with U.S. Department of War requirements. The board of directors is responsible for overseeing management's enterprise risk management program, and receives regular reports on cybersecurity risk identification, monitoring and mitigation from our Chief Financial Officer as part of its review of that program, in addition to the regular reports received from the CIO as part of the board's overall cybersecurity program review and the audit committee's review of information technology and cybersecurity risk. We evaluate the opportunities and threats posed by newly emerging artificial intelligence technologies on an ongoing basis. We utilize artificial intelligence and generative artificial intelligence in our internal defense systems. However, we manage and restrict access to external artificial intelligence tools to prevent and limit the use of Hexcel's data to train artificial intelligence models. As the Company deploys new artificial intelligence capability, we expect to continue to perform security assessments to reduce the risk of embedded malware and to prevent the use of Hexcel's data to train public artificial intelligence models. As part of our cybersecurity risk management, we have established controls and procedures to guide the Company through an active threat or incident to the recovery of normal business, following industry-standard data protection standards. The controls and procedures provide for the identification, notification, escalation, communication, and remediation of cybersecurity incidents to management, including where appropriate the board of directors, so that decisions regarding the public disclosure and reporting of such incidents can be made in a timely manner. We maintain an Executive Cyber Response Team composed of senior leaders across various functions, including our CIO, Chief Legal Officer, Chief Accounting Officer and Vice President of Communications. The Executive Cyber Response Team is trained and experienced in managing cybersecurity incidents and meets regularly to practice and refine our processes for incident response , management and escalation through tabletop exercises simulating cyberattacks administered by a legal advisor with extensive experience in cyber investigations, cyber threats and cyber-enabled frauds. The results 23 of such exercises are then reported to management and our board of directors. The third-party legal advisor also assesses and advises on our overall cybersecurity program , reports to our board of directors on a periodic basis and is engaged to provide support in the event an attack or other intrusion were to be successful. Furthermore, as part of our cybersecurity management, we are committed to strong third-party risk management. We impose cybersecurity requirements on, and actively and routinely address cybersecurity capabilities with our top-tier suppliers and have implemented cybersecurity requirements in our standard supplier contract terms, as well as our Supplier Code of Conduct, to address cybersecurity risk. Additionally, we validate cybersecurity practices of key suppliers as may be necessary to comply with applicable regulations or flow-down requirements from our customers. The Company maintains disaster recovery plans for key applications and site-specific incident response plans, as well as a cybersecurity and related insurance policies as a measure of added protection. While the Company faces a number of cybersecurity risks in connection with its business, as of the date of this report, the Company is not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, there can be no assurance that the Company, or its third-party service providers, will not experience a cybersecurity threat or incident in the future that could have a material adverse effect on the Company, including its business strategy, results of operations, or financial condition. For further discussion of the risks related to cybersecurity, see the risk factors discussed under Item 1A. "Risk Factors" in this report. 24

Company Information