Archer-Daniels-Midland Co 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

Archer-Daniels-Midland Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 16:02:09 EST.

Filings

10-K filed on 2026-02-17

Archer-Daniels-Midland Co filed a 10-K at 2026-02-17 16:02:09 EST
Accession Number: 0000007084-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy The Company faces significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems ADM must defend against cybersecurity attacks, such as exploitation of vulnerabilities, ransomware, denial of service, supply chain attacks, or other similar threats; the attractiveness of the Company's systems and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on ADM or its customers; the substantial level of harm that could occur to the Company and its customers in case of a material cybersecurity incident; and ADM's use of third-party products, services and components. ADM is committed to supporting the governance and oversight of cybersecurity risks and to implementing mechanisms, controls, technologies, and processes designed to help the Company assess, identify, and manage these risks. To date, the Company has not identified risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, the Company is subject to ongoing risks from cybersecurity threats that could materially affect the Company, including its business strategy, results of operations, or financial condition, as further described in Item 1A. Risk Factors. Cybersecurity risks are included in the risk universe that the Company's Enterprise Risk Management (ERM) function evaluates, with input from information security subject matter experts at the Company, to assess top risks to the enterprise. The ERM process provides input into our strategic planning process, such as development of action plans to address and mitigate identified risks. Integrating cybersecurity risk into the overall ERM process in this manner assists the Company in identifying, assessing, and managing material cybersecurity risks. The Company has a dedicated cybersecurity team that collaborates with compliance, privacy, legal, and other teams across the global organization to assess the risk landscape. ADM's cybersecurity program is designed to be aligned with applicable industry standards and is assessed regularly by independent third-party auditors. The multifaceted nature of the Company's cybersecurity measures includes aspects of prevention, detection, and response capabilities, employee training programs, threat intelligence monitoring, and the implementation of an array of technologies. The Company has established processes to oversee and identify cybersecurity risks associated with the use of third-party service providers, which include the completion of due diligence before engaging with any third party, controls for response to mitigate any significant risks, and assessments and reviews during the course of the relationship. Additionally, the Company has ongoing partnerships with government and commercial cybersecurity experts to understand emerging cybersecurity threats. ARCHER-DANIELS-MIDLAND COMPANY PART I The Company has seen an increase in cyberattack volume, frequency, and sophistication. ADM seeks to detect and investigate unauthorized attempts and attacks against its network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to the Company's internal processes and tools; however, ADM remains potentially vulnerable to known or unknown threats. The Company's cyber incident response plan includes an escalation process if a cybersecurity incident meets specific rating criteria to trigger swift and effective action designed to minimize potential disruptions and protect the integrity of our operations. The Company also conducts periodic cybersecurity scenarios with senior management to enhance preparedness. Governance The Board of Directors has oversight of cybersecurity risk as part of the ERM program. The Board of Directors is assisted by the Sustainability and Technology Committee, which regularly reviews the cybersecurity program with management and reports to the Board of Directors. The Board is also assisted by the Audit Committee in its oversight of the Company's ERM program. Cybersecurity reviews by the Sustainability and Technology Committee or the Board of Directors generally occur quarterly, or more frequently as determined to be necessary or advisable. In recent years, the Board added a director who had previously served as the Chief Information Officer for a large public company with complex information security requirements to enhance the Board's and Sustainability and Technology Committee's oversight of cybersecurity risks. The Company's cybersecurity program is led by the Chief Information Security Officer (CISO) , who reports to the Senior Vice President and Chief Information and Digital Officer (CIDO). The CISO monitors the Company's prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom hold cybersecurity certifications in Information Systems Security or Information Security Management, and through the use of technological tools and software and results from third party audits. Additionally, the CISO directs the Company's Global Information and Cyber Security Council (the "Council"), which includes representatives from key functions such as global technology, compliance, privacy, controlling, operations, security, automation, ERM, and internal audit. The Council promotes alignment and communication of new and ongoing cybersecurity prevention techniques and provides a forum for staying current on the latest cybersecurity threats. The CISO and CIDO report information about such risks to the Board of Directors, the Sustainability and Technology Committee, or the Audit Committee during the regular cybersecurity reviews. The CISO and CIDO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. The CISO has served in that position since 2018 and was previously the Vice President, Head of Enterprise Security, Americas at Worldpay and a Security Principal/Strategist for Hewlett Packard Enterprises for a combined 20 years of cybersecurity experience. The CIDO joined the Company effective January 14, 2026, replacing the Company's former Chief Technology Officer. Prior to joining ADM, the CIDO served as the Chief Information Technology and Data Officer for the Americas & Global Sales Technology at Danone for approximately six years, and, prior to Danone, held senior IT and data leadership roles at Gillette, Procter & Gamble and Nike since 2007. Through these roles, the CIDO has extensive experience overseeing, managing, and working on cybersecurity programs. ARCHER-DANIELS-MIDLAND COMPANY PART I

Company Information