PHINIA INC. 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

PHINIA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 12:06:32 EST.

Filings

10-K filed on 2026-02-12

PHINIA INC. filed a 10-K at 2026-02-12 12:06:32 EST
Accession Number: 0001968915-26-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our overall risk management program, we describe below the processes used to assess, identify, and manage material risks from cybersecurity threats, including how these processes are used to manage cybersecurity risks through our Enterprise Risk Management (ERM) program and for reporting to management and our Board of Directors (the Board). For a description of cybersecurity risks relevant to our business, see Item 1A, "Risk Factors." The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information we collect and store for use in operating our business; (iii) protecting the Company's intellectual property; (iv) maintaining the confidence of our customers, suppliers, other business partners and employees; and (v) providing appropriate disclosure of cybersecurity risks and incidents when required. Our cybersecurity and data protection policies, processes and strategies are informed by regulatory and business requirements, our prior experience addressing cybersecurity attacks and incidents (including with our former affiliates), industry practices and standards, and are periodically adjusted based on the results of assessments conducted through our ERM practices, third-party audits and independent reviews, tabletop exercises, and other processes. Our cybersecurity policies, processes and strategies focus on the following areas: - Surveillance and Monitoring. The Company maintains 24/7 cybersecurity threat surveillance in conjunction with a managed security service that monitors system logs and network traffic for indicators of compromise and other suspicious activity, and conducts monthly external vulnerability assessments and annual penetration testing. - System Safeguards. The Company deploys system safeguards that are designed to protect the Company's technology systems and infrastructure from cybersecurity threats, including early detection and response antivirus tools, data leak prevention tools and systems, vulnerability scans of data centers, firewalls, anti-malware functionality and access controls, and programs to support remediation, replacement or isolation of systems that have reached, or are expected to reach, end of security life. - Third-Party Collaboration. The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers, to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management. The Company maintains processes designed to identify and oversee material risks from cybersecurity threats associated with third-party users of the Company's technology systems and data, as well as third-party service providers' systems used by the Company. - Training. The Company requires personnel, including new hires, to complete training regarding cybersecurity threats (including phishing, business email compromise and other schemes or attacks that use social engineering, and new disruptors, such as artificial intelligence), incident and threat reporting procedures, data protection and acceptable use of our technology systems. - Incident Response Planning. The Company maintains a cybersecurity incident response plan that outlines an organized and timely approach for responding to and handling cybersecurity incidents affecting the Company's technology systems or data, including intrusions or incidents involving data from a third party. A key part of the Company's strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of the Company's policies, processes and strategies through audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity controls and oversight and identifying potential opportunities for enhancements. Third-party audits and independent reviews of our cybersecurity measures, information security control environment and operating effectiveness are conducted on at least an annual basis. As a global company, we have experienced cybersecurity attacks and incidents in the past, and we could in the future experience similar attacks. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company and are not reasonably likely to materially affect our business strategy, results of operations, or financial condition. Governance The Board, in coordination with the Audit Committee, oversees risks from cybersecurity threats and the Company's processes for assessing and managing cybersecurity risks. The Board receives updates from management regarding cybersecurity risks and the Company's processes in connection with its oversight of the Company's ERM program and risk management practices. The Board also receives updates from the Chief Information Officer (CIO) regarding the Company's technology systems and infrastructure in connection with its general oversight of the execution and development of key strategies and initiatives. The Audit Committee receives updates from the CIO, supported by the cybersecurity team, including regarding (i) management's monitoring, assessment and management of cybersecurity risks, (ii) the Company's strategies and processes for prevention, detection, mitigation, and remediation, and (iii) recent developments, trends and the general threat environment. Updates to the Board or Audit Committee occur on at least a quarterly basis. The Company's cybersecurity team, led by our CIO , oversees the Company's cybersecurity and data security operations, programs, policies and processes and their general effectiveness. Our CIO directly oversees the broader cybersecurity team while the Company actively searches for a Chief Information Security Officer due to a recent vacancy in the position. The cybersecurity team, in coordination with other Incident Response Team members, works collaboratively across the Company to implement a program designed to protect the Company's technology systems from cybersecurity threats and to promptly respond to cybersecurity incidents. The Company's Incident Response Team consists of our CIO and other senior leaders from the Company's cybersecurity (composed of information security and technology operations), compliance, legal, financial reporting and other key business and corporate functions. The CIO and other Incident Response Team members monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with the incident response plan. The team is also responsible for informing and coordinating with the Company's Disclosure Committee in timely reporting such incidents, as appropriate and depending on the severity of the incident, and facilitating updates to the Strategy Board (consisting of our CEO, Chief Financial Officer (CFO), General Counsel, CIO and other members of management), Audit Committee and Board regarding such incidents until addressed. We have experienced leaders responsible for managing and overseeing risks arising from cybersecurity threats. Our CIO reports to the CEO and has significant experience serving in various roles in technology and information security, including CIO of Gentherm Incorporated immediately prior to joining the Company, where he oversaw Gentherm's cybersecurity program. In addition, the Company's CEO, CFO and General Counsel each have experience overseeing the management of cybersecurity and other risks similar to those impacting the Company's business.

Company Information