Amrize Ltd 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

Amrize Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:05:58 EST.

Filings

10-K filed on 2026-02-18

Amrize Ltd filed a 10-K at 2026-02-18 16:05:58 EST
Accession Number: 0002035989-26-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize that effective management of cybersecurity risk is critical to our operations, reputation, and the protection of our stakeholders' interests. Our approach to cybersecurity is integrated into our broader Enterprise Risk Management ("ERM") framework, ensuring that risks from cybersecurity threats are identified, assessed, managed, and monitored at multiple levels across the organization. Our cybersecurity risk management program leverages industry standards and frameworks, including the National Institute of Standards and Technology ("NIST") Cybersecurity Framework, to organize our efforts around the key functions of identify, protect, detect, respond, and recover. We maintain a layered cybersecurity strategy that includes: - Regular risk assessments to identify and evaluate potential threats to our information systems, data, and operational technology. - Comprehensive policies and procedures governing information security, incident response, and the use of technology resources. - Continuous monitoring of our systems for unusual activity or potential incidents, supported by both internal teams and third-party cybersecurity experts. - Employee training and awareness programs , including annual mandatory cybersecurity training, phishing simulations, and specialized training for employees in sensitive roles. - Incident response planning, including tabletop exercises and simulations involving senior management, to validate and improve our response capabilities. - Ongoing investments in security technologies and processes to strengthen our defenses and adapt to the evolving threat landscape. - Third-party risk management , including annual reviews of critical vendors, SOC 1/SOC 2 report evaluations, and additional assessments where necessary. 39 Amrize Ltd We also conduct periodic external penetration tests and maturity assessments to evaluate the effectiveness of our controls and identify areas for improvement. Our incident response plan provides a structured approach to triage, contain, eradicate, recover from, and analyze cybersecurity incidents. To date, we have not experienced a cybersecurity incident that has had, or is reasonably likely to have, a material impact on our business strategy, results of operations, or financial condition. However, we recognize that cybersecurity threats are constantly evolving, and we remain vigilant in our efforts to protect our systems and data. Cybersecurity Governance Our Board of Directors is responsible for overseeing risk management, including cybersecurity. The Board has delegated primary oversight of cybersecurity risk management to the Audit Committee, which is comprised of independent directors with relevant experience. The Audit Committee receives regular updates from management, including our Chief Information Officer ("CIO") and information security leadership, on the status of our cybersecurity program, recent developments, and any significant incidents. Our CIO , who has over 25 years of experience in information technology and cybersecurity, is responsible for the development and implementation of our information security program. The CIO is supported by a dedicated cybersecurity team, which includes internal experts and external advisors. This team is responsible for monitoring threats, managing incident response, and ensuring compliance with our policies and regulatory requirements. We also maintain an Enterprise Risk Management function , which is made up of our Chief Legal Officer, Chief Financial Officer, Chief Information Officer, Chief People Officer, Operation Presidents and Vice President Audit and Controls, among others. This team is responsible for identifying and assessing risks, including those related to cybersecurity, and for recommending mitigation strategies. The team provides regular updates to executive management and the Audit Committee. We view cybersecurity as a shared responsibility across the organization and are committed to fostering a culture of security awareness and continuous improvement.

Company Information