TIMKEN CO 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

TIMKEN CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 16:44:35 EST.

Filings

10-K filed on 2026-02-13

TIMKEN CO filed a 10-K at 2026-02-13 16:44:35 EST
Accession Number: 0000098362-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Governance Cybersecurity is an integral part of the Company's overall enterprise risk management program. The Company maintains cybersecurity processes designed to detect and assess the severity of cybersecurity threats and incidents and, where applicable and possible, to identify the source of a threat or incident, including, whether it is associated with the use of third-party service providers. The Company's processes also include cybersecurity testing, detection, response, prevention and mitigation strategies, conducting contract and vendor due diligence review, and informing management and the Company's Board of Directors of significant cybersecurity threats and incidents. The Company's cybersecurity team also engages third-party security consultants for penetration testing, training and system enhancements. The Company provides training and education for employees on cybersecurity awareness, including confidential information protection and simulated phishing attacks where appropriate for the employee's role. The Board of Directors has overall oversight responsibility for the Company's risk management function, and primarily relies on the Audit Committee to administer this oversight. With respect to cybersecurity, the Board and Audit Committee are responsible for confirming that the Company's management maintains appropriate cybersecurity policies and has processes in place designed to identify and evaluate cybersecurity risks to which the Company is exposed, to manage cybersecurity risks and to mitigate any cybersecurity incidents. The Director of Information Technology is responsible for identifying, considering and assessing significant cybersecurity risks on an ongoing basis, establishing processes for monitoring and mitigating potential cybersecurity risks, exposures, implementing appropriate mitigation measures and maintaining our cybersecurity program. Both the Director of Information Technology as well as the Company's dedicated personnel, who report to her, are certified and experienced information systems security professionals and information security managers with many years of experience. The Director of Information Technology has progressed through various roles of increasing responsibility in information technology functions since being hired at the Company in 2018. The Director of Information Technology and other members of management report to either the Board of Directors or the Audit Committee at least annually on, among other topics, updates to the Company's cybersecurity program and mitigation strategies, developments in cybersecurity practices generally, and third-party assessments of the Company's cybersecurity program. Management also provides general program updates and industry trends to the Board and Audit Committee on a more ad hoc basis. In 2025, the Company did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, despite our efforts, the Company cannot eliminate all risks from cybersecurity threats, or provide assurances that it has not experienced an undetected cybersecurity incident. For more information about these risks, please refer to Item 1A. Risk Factors - Risks Related to Data Privacy and Cybersecurity in this Annual Report on Form 10-K.

Company Information