Coca-Cola Consolidated, Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

Coca-Cola Consolidated, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:17:15 EST.

Filings

10-K filed on 2026-02-18

Coca-Cola Consolidated, Inc. filed a 10-K at 2026-02-18 16:17:15 EST
Accession Number: 0001628280-26-009057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company's Cybersecurity team maintains a cybersecurity program designed to assess, identify and manage material risks from cybersecurity threats and to protect against, detect, respond to and recover from cybersecurity incidents. The Company's cybersecurity processes are integrated into the overall risk management program. The Company reviews and updates a Cybersecurity Incident Response Plan at least annually, which documents the intended processes and the roles and responsibilities of teammates involved in managing cybersecurity threats and incidents. Third parties are engaged to assist with the assessment and ongoing development of the cybersecurity processes and program. The cybersecurity program is grounded in the National Institute of Standards and Technology Cybersecurity Framework. Key elements of the risk management approach include risk assessments of systems and applications to identify risks, vulnerabilities and threats. Incident response exercises, including tabletop exercises, are conducted to evaluate and improve incident response processes. Cybersecurity awareness training and phishing exercises are conducted, and all teammates are required to complete such training. Continuous monitoring of the Operational Technology and Information Technology environment is conducted, including proactive threat hunting for indicators of potential cybersecurity events, through processes designed to capture application, system and network alerts for review and escalation, as appropriate. In the event of a cybersecurity incident, the Company's Cyber Incident Response Team (the "CIRT"), led by a designated Cyber Incident Coordinator (the "CIC"), is responsible for coordinating investigation and response activities, including collecting and analyzing relevant information about the incident and its potential business impact. Members of the CIRT, including the CIC, are selected based on knowledge of cybersecurity and/or the information systems or business functions implicated by the incident. The CIRT uses incident response strategies intended to help collect and preserve relevant forensic data, mitigate the impact of the incident and restore systems to normal operation. These strategies include practices recommended by the United States Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team. For significant cybersecurity incidents, external experts in relevant fields, such as legal counsel, forensic specialists or other advisors may be engaged, as appropriate. Cybersecurity risks can arise from third-party relationships, including vendors, service providers and other partners. Processes and technologies are utilized to help oversee and identify cybersecurity risks associated with third-party service providers. As part of those processes, the Vice President and Chief Technology Officer meets with and assesses third-party service providers to help ensure the 17 Company is made aware of potentially material cybersecurity threats or incidents in a timely manner. The Company's largest external service provider is CONA, as further discussed in "Item 1A. Risk Factors" of this report. During 2025, the Company did not identify cybersecurity incidents or risks from cybersecurity threats that had, or were reasonably likely to have, a material effect on our business strategy, results of operations or financial condition. While we maintain cybersecurity insurance, the costs related to cybersecurity incidents or disruptions may not be fully insured. See "Item 1A. Risk Factors" for a discussion of cybersecurity risks. Governance The Company's cybersecurity program is led by the Senior Director, Information Technology Security, who reports to the Vice President and Chief Technology Officer. The Senior Director, Information Technology Security holds a Bachelor of Science in Information Systems and obtained a Graduate Certificate in Cybersecurity. The Senior Director, Information Technology Security and the Vice President and Chief Technology Officer have a combined 25 years of experience in information technology security and over 25 years with the Company. They are familiar with the Company's cybersecurity landscape, risks and best practices for mitigation of those risks identified. The Senior Director, Information Technology Security is responsible for establishing and maintaining core cybersecurity policies and procedures and for designating the CIC and selecting members of the CIRT to lead response efforts for cybersecurity incidents. The CIRT is responsible for executing incident response activities in accordance with established policies and procedures. The internal assessment matrix is leveraged to evaluate the severity of cybersecurity incidents and to support escalation decisions. The Senior Director, Information Technology Security, with input from the CIRT, determines whether an incident should be escalated to executive management (including the Chief Operating Officer, the Chief Financial Officer, the Chief Legal and Administrative Officer and the Company's Data Governance Committee) based on severity and potential business impact. Executive management determines the incident handling strategy, with input from the Senior Director, Information Technology Security, including whether notification to the Audit Committee of the Board of Directors is warranted. The CIC provides regular updates to executive management regarding response progress and the evolving risk profile until the incident is resolved. The Board of Directors delegates oversight of information technology and cybersecurity matters to the Audit Committee. As part of this oversight, information technology leadership provides an annual detailed cybersecurity update to the Audit Committee . In addition, the Audit Committee receives quarterly cybersecurity updates, which may include summaries of program activities and key risk indicators, such as phishing testing results and the results of quarterly cybersecurity disclosure questionnaires. In the event of a material cybersecurity incident, the Audit Committee will report such incident to the full Board of Directors.

Company Information