WHIRLPOOL CORP /DE/ 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

WHIRLPOOL CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 16:23:28 EST.

Filings

10-K filed on 2026-02-11

WHIRLPOOL CORP /DE/ filed a 10-K at 2026-02-11 16:23:28 EST
Accession Number: 0000106640-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Information Security Risk Management and Strategy Our Board is responsible for monitoring the Company's key risks and overseeing the risk management structure and programs implemented by management. At meetings throughout the year, the Board receives updates from business unit and functional leaders regarding significant risks and challenges within their areas of responsibility and associated mitigation plans and strategies. The Chief Financial Officer is responsible for the Company's enterprise risk management (ERM) system, which helps to effectively manage enterprise risks. Our ERM processes systematically identify, assess, mitigate and monitor enterprise risks, whether strategic, financial, non-financial, operational, compliance or reporting. As part of our risk management processes, we perform risk assessments in which we map and prioritize information security risks identified through the processes described above, including risks associated with our use of third-party service providers, based on probability, immediacy and potential magnitude. Our centralized third-party security risk management program is established to proactively assess and mitigate cybersecurity risks across our vendor and supplier ecosystem. This comprehensive governance framework mandates formal procurement due-diligence for all new vendors and requires periodic security reassessment for existing vendors. We utilize a standardized decision framework and a structured security questionnaire, administered through an enterprise risk management platform, to evaluate vendor controls. This disciplined approach supports consistent oversight, risk-based decision-making and the protection of the Company's sensitive information assets. These assessments inform our risk mitigation strategies, which are reviewed regularly with the Board and management, and we view information security risks as one of the key risk categories we face. For example, our information technology and infrastructure has experienced and may in the future be vulnerable to cyberattacks (including ransomware attacks) or security incidents, and third parties have in the past and may in the future be able to access proprietary business information, Personally Identifiable Information (PII), or Payment Card (PCI) data that we collect, store and process. For more information regarding the information security-related risks we face, see the information in "Part I, Item 1A: Risk Factors" under the caption "We have been and may be subject to information technology system failures, cloud failures, network disruptions, cybersecurity attacks and breaches in data security, which may materially adversely affect our operations, financial condition and operating results". Our risk mitigation process assesses, prioritizes, and monitors information security risks and vulnerabilities and focuses on embedment of risk mitigation efforts across our business. Among other things, our internal experts regularly conduct audits and tests of our information systems and our cybersecurity program, which is in line with the NIST Cybersecurity Framework, is periodically assisted by established, independent third party consultants, who provide assistance through tabletop and other preparedness exercises. We also review information security threat information published by government entities and other organizations in which we participate and actively engage with suppliers, industry associations, key thought leaders and law enforcement communities as part of our continuous efforts to evaluate and enhance the effectiveness of our cybersecurity program. In 2022, we launched and required all salaried employees to complete a mandatory Global Cybersecurity and Privacy training, covering information security, end-user security policies, breach response, remote working, phishing and email security and digital threats. The training content is reassessed and refreshed each year to reflect evolving risks. Additionally, we maintain regular cyber awareness on our Company portal and conduct ongoing simulated phishing exercises. We use the findings from these and other processes to improve our information security practices, procedures and technologies. In 2023, we implemented additional management governance through the creation of a Cybersecurity, Privacy and AI Steering Committee, which meets periodically to review information security risks and drive the appropriate management and mitigation of vulnerabilities. In addition, we maintain insurance to protect against potential losses arising from an information security incident. 28 While we have not yet experienced any material impacts from a cyber attack, any one or more future cyber attacks could materially adversely impact the Company, including a loss of trust among our customers and consumers, departures of key employees, general diminishment of our global reputation and financial losses from remediation actions, loss of business or potential litigation or regulatory liability. The use of AI technologies could lead to the unauthorized disclosure of sensitive, proprietary, or confidential information, inadvertent infringement of intellectual property owned by third parties, and could lead to new potential cyberattack methods for third parties. Further, evolving market dynamics are increasingly driving heightened cybersecurity protections and mandating cybersecurity standards for our products, and we may incur additional costs to address these increased risks and to comply with such demands. As part of our overall risk mitigation strategy, we maintain insurance coverage that is intended to address certain aspects of cybersecurity risks; however, such insurance may not be sufficient in type or amount to cover us against claims related to cybersecurity breaches, cyberattacks and other related breaches. We periodically review our cybersecurity insurance program. In addition to the risk management processes identified above, Whirlpool also maintains active knowledge security and data privacy programs. Leveraging policies and governance, ongoing training and awareness as well as strong controls and systems-based approaches, these programs focus on protecting Whirlpool confidential information and compliance with applicable data privacy and data protection laws in all countries where we do business. Information Security Governance and Oversight Our risk management process and information security risk mitigation framework enables our Board and management to establish a mutual understanding of the effectiveness of our information security risk management practices and capabilities, including the division of responsibilities for reviewing our information security risk exposure and risk tolerance, tracking emerging information risks and facilitating proper escalation of certain key risks for periodic review by the Board and its committees. As part of its broader risk oversight activities, the Board oversees risks from information security threats, both directly and through the Audit Committee of the Board (the "Audit Committee"). As reflected in its charter, the Audit Committee assists the Board in its oversight of risk by periodically reviewing policies and guidelines with respect to risk assessment and risk management, including management reports on our processes to manage and report risks. As another element of its risk oversight activities, the Audit Committee receives reports quarterly from our Global Chief Information Officer ("CIO") and Global Chief Information Security Officer ("CISO") on the execution and effectiveness of our cybersecurity and privacy program, cybersecurity incidents, cyber resilience metrics and the global threat landscape. The Audit Committee also oversees our internal control over financial reporting, including with respect to financial reporting-related information systems. Our CISO, who manages our cybersecurity program, reports to our CIO regularly on how certain information security risks are being managed and progress towards agreed mitigation goals, as well as any potential material risks from cybersecurity threats. The CIO and CISO discuss these matters with our Audit Committee who reports to the Board on the substance of its reviews and discussions. In addition to these discussions, each year our CIO and CISO present to our Board on cybersecurity related trends and program updates. Our CIO and CISO are also responsible for prioritizing risk mitigation activities and developing a culture of risk-aware practices with strong support from management. Our CISO has approximately 20 years of experience in cybersecurity operations and holds CISSP and CISM certifications. Our CIO has over 20 years experience in cybersecurity roles and holds CISSP, CISM, CGEIT, CDSPSE and PMP certifications. The day-to-day monitoring, identification, and assessment of information security risks and incident response functions are managed centrally by our core cyber incident response team (the "CIRT"), which operationalizes our Cyber Incident Response Plan (the "Plan"). The Plan includes processes to triage, assess severity of, escalate, contain, investigate and remediate information security incidents, including those associated with our third-party service providers, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Under the Plan, 29 the CIRT may escalate matters as necessary to our CISO and CIO, Chief Legal Officer, and other senior leadership, depending on the severity classification of the incident. In addition to the ordinary-course Board and Audit Committee reporting and oversight described above, we also maintain disclosure controls and procedures designed for prompt reporting to the Board and timely public disclosure, as appropriate, of material events covered by our risk management framework, including information security risks.

Company Information