MERCER INTERNATIONAL INC. 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

MERCER INTERNATIONAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:33:41 EST.

Filings

10-K filed on 2026-02-12

MERCER INTERNATIONAL INC. filed a 10-K at 2026-02-12 16:33:41 EST
Accession Number: 0001193125-26-048855

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain comprehensive programs and technologies to ensure that our information systems are effective and prepared for data privacy and cybersecurity risks, including regular oversight of our security programs for monitoring internal and external threats to ensure the confidentiality and privacy of our data. As the volume and complexity of cyberattacks continue to evolve, we remain committed to enhancing our security capabilities by continued investments in cyber technologies and developing our internal cybersecurity personnel, educating our workforce, and leveraging emerging technologies. Risk Management and Strategies We regularly perform evaluations of our security program and continue to implement controls aligned with industry guidelines to identify threats, detect attacks and protect data. Our risk management strategy is ( 46 ) focused on three areas: (i) technology, being our hardware and software systems; (ii) processes, being our cybersecurity reporting, testing and other processes; and (iii) people, which refers to our internal cybersecurity personnel, external service providers and individual training and human interaction within our information technology and cybersecurity processes. We seek to align our cybersecurity program with practices recommended under ISO 27001 and by the National Institute of Standards and Technology and the Center for Internet Security Critical Security Controls. We leverage third-party risk intelligence for continuous monitoring and objective assessment of key third-party information technology service providers, which informs our overall cybersecurity risk oversight and control environment. We continue to seek to enhance our vendor onboarding and oversight controls, including contractual requirements and a risk-tiered approach to vendor review. We periodically undertake cybersecurity audits or other independent assessments, the results of which are reported to our Audit Committee. We have also implemented security monitoring programs designed to alert us of any suspicious activity and have developed an incident response program in the event of a security breach. We have also engaged a third-party vendor to, among other things, provide continuous monitoring and respond to cybersecurity events. We implement various training programs periodically to ensure that our employees and other personnel comply with internal processes and to enhance their cybersecurity awareness. Additionally, we have engaged third-party providers to supplement our response capabilities for both informational and operational technology incidents, as needed. As of the date of this filing, we have not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, there can be no assurance that we, or our third-party partners or service providers, will not experience a cybersecurity threat or incident in the future that could materially adversely affect our business strategy, results of operations, or financial condition. While the cybersecurity programs described herein fully encompass our information technology infrastructure, we recognize the unique requirements of our operational technology environments. Accordingly, we are executing targeted initiatives to further harmonize our operational technology security strategy with established information technology standards, implementing commensurate controls where technically feasible to ensure a unified and robust enterprise security framework. For further discussion of the risks related to cybersecurity, see also Item 1A. "Risk Factors - Risks Related to our Business - Failures or security breaches of our information technology systems could disrupt our operations and negatively impact our business". Governance Our board of directors oversees our risk management processes and has tasked our Audit Committee with oversight of our cybersecurity and information governance, including periodically reviewing and discussing with management our risk exposures relating to data privacy and cybersecurity, and reviewing the steps we have taken to identify, assess, monitor, mitigate and manage such exposure and cybersecurity risks. At the management level, our Director of Cybersecurity is responsible for overseeing our cybersecurity processes and risk management, working together with our Chief Information Officer to implement our cybersecurity initiatives. Our Audit Committee and management meet with the Board on a quarterly basis to provide updates on cybersecurity risks, material cyberattacks and security incidents as they occur, as well as to promote company-wide cyber risk and security awareness. Additionally, our Chief Information Officer and Director of Cybersecurity meet periodically with the Board or the Audit Committee to brief them on technology and information security matters. Our Director of Cybersecurity is informed of cybersecurity incidents by applicable personnel, and oversees ( 47 ) remediation efforts in accordance with our policies and processes. Our Chief Information Officer reports to our Audit Committee on significant incidents periodically. Our Chief Information Officer has over 30 years of technology leadership experience and is, among other things, a Certified Information Systems Security Professional and a Certified Secure Infrastructure Specialist. Our Director of Cybersecurity has over 25 years of experience as a cybersecurity and information technology professional. He has held various leadership positions where he developed, managed and implemented security programs and controls. He also holds, among other information technology certifications, the Certified Information Systems Security Professional designation.

Company Information