BAXTER INTERNATIONAL INC 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

BAXTER INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:46:04 EST.

Filings

10-K filed on 2026-02-12

BAXTER INTERNATIONAL INC filed a 10-K at 2026-02-12 16:46:04 EST
Accession Number: 0001628280-26-007733

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We assess, identify and manage risks from cybersecurity threats through our Global Cybersecurity and Compliance Program (Cybersecurity Program). Cybersecurity risks identified in the Cybersecurity Program are integrated into our Enterprise Risk Management Program. In addition, the Cybersecurity Program seeks to incorporate consideration of cybersecurity risk into our product development, business strategy, financial planning and capital allocation decisions. The Cybersecurity Program is currently overseen by the Board of Directors (Board) and is managed by our Chief Information Officer (CIO) , who is currently serving as our interim Chief Information Security Officer (CISO) while we complete the search for a permanent CISO. The CISO's organization is responsible for cybersecurity strategy, policy, standards, risk-management architectures, and processes for the security of our corporate and manufacturing enterprise network, information assets and medical device technologies. Additionally, this organization provides governance and guidance related to secure-by-design principles and secure development practices for medical technologies. Our CIO has over 30 years of experience in information technology and has served in a number of professional services leadership roles, including as CIO over the past 15 years at three companies. The CISO's organization monitors and manages, and works to identify and assess, cybersecurity risk through various technologies, resources, processes and policies that are updated as necessary to align with the changing threat landscape, our evolving business needs as well as global regulatory requirements. In addition, from time to time, we also utilize external auditors, assessors, and pen-testers to help evaluate the maturity of our Cybersecurity Program, including conducting penetration testing and vulnerability, risk, and maturity assessments. We also actively engage with industry experts, regulatory agencies, advocacy groups, industry peers, intelligence, and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our Cybersecurity Program and to stay abreast of the emerging cybersecurity landscape. We use a range of defenses to help protect against cybersecurity threats and to work to secure our assets, reduce the time it takes to detect a cybersecurity threat and improve our recoverability capabilities. These defenses include the ongoing monitoring of our systems (including with the assistance of third-party vendors), conducting response and recovery exercises with employees and senior management (including our executive officers) to promote awareness of related matters and improve internal processes, and engaging with external cybersecurity rating agencies that assess our cyber risk. In addition, to help promote privacy and security awareness throughout the company, the CISO's organization maintains a Cyber Awareness and Engagement Program. As part of this program, all stakeholders (including Baxter employees and contractors) with a Baxter email address receive annual training on the recognition and prevention of cybersecurity threats as well as training on how to report suspicious activity or potential breaches through the appropriate channels. Our Cyber Awareness team communicates cybersecurity best practices to our employees through internal communications, including the company intranet, newsletters, and global virtual seminars, and also hosts ongoing cybersecurity awareness campaigns, including phishing simulations. Further, our Third-Party Risk Management Program utilizes a managed service that uses a standard framework to help identify, assess, and monitor potential cybersecurity risks posed by third parties. Third-party cybersecurity risks (including reputational ones) are assessed by evaluating the third party's security practices (including those associated with data protection), compliance with applicable regulations and planning associated with business continuity and incident detection and response. The Cybersecurity Program and the CISO's organization maintain a cybersecurity governance and oversight framework that seeks to drive accountability for all levels of employees, including senior management and executive officers. Cybersecurity matters are generally managed by a combination of working groups, the cybersecurity compliance committee and ultimately the cybersecurity executive oversight committee, as appropriate. Our cross functional cybersecurity compliance committee is led by the CISO, is composed of members of senior management, including the CIO, and reviews matters such as cybersecurity escalations, critical remediations, and disclosure recommendations. The output from the cybersecurity compliance committee meetings is discussed at meetings of Baxter's cybersecurity executive oversight committee, which is also led by the CISO's organization and includes the CEO, other members of the CEO's executive management including the CIO, Chief Financial Officer and General Counsel. The Board oversees information technology functions generally, including product related cybersecurity matters as well as our use of artificial intelligence (whether internally or in our products and services). The Audit Committee of the Board is responsible for the oversight of certain significant cybersecurity incidents, including ones related to our products and services, and, in the event of a significant cybersecurity incident, receives related updates from management on those incidents . Consistent with this oversight responsibility, the Audit Committee is responsible for reviewing proposed disclosures in connection with any material cybersecurity incident consistent with our disclosure 28 obligations under Item 1.05 of Form 8-K. The full Board receives periodic updates on information technology and cybersecurity matters from management (including the CIO and CISO) and external advisors from time to time, and the Audit Committee receives periodic updates (including as part of continuing director education) on the evolving cybersecurity and artificial intelligence landscapes and regulatory reporting requirements. We maintain and annually update a Cybersecurity Incident Response Plan, which is a guide for our Cyber Security Incident Response Team and business to respond to cybersecurity incidents in a coordinated manner. Additionally, we, in partnership with a third-party consultant, facilitate periodic cyber-crisis tabletop exercises with members of senior management (including our executive officers) to help us prepare for the occurrence of a significant cybersecurity event and our related response activities. Cybersecurity risks and threats, including any previous cybersecurity incidents, have not materially impacted us or our operations to date . However, we cannot provide any assurance that we will not be subject to a material cybersecurity incident in the future. See "Risks Relating to Our Operations-We may experience breaches and breakdowns affecting our information technology systems or protected information, including from obsolescence, cyber security breaches and data leakage" in Item 1A. Risk Factors of this Annual Report on Form 10-K for a discussion of cybersecurity-related risks. 29

Company Information